CVE Catalog

CVE-2025-67887

Critical
Published: Translated: NVD NIST

Summary

1C-Bitrix version 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file.

Risk Assessment

The organization may be exposed to malicious actions if unauthorized users gain access to SOURCE/WRITE permissions, potentially leading to system compromise.

Recommendation

It is recommended to restrict permissions for the Translate Module and monitor the activities of high-privileged users to prevent unauthorized file uploads.

Original NVD description (English source)

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS