EspoCRM v9.3.4: From Extension Upload to Remote Code Execution (RCE)

In this article, I will detail an Authenticated Remote Code Execution (RCE) vulnerability I discovered in EspoCRM (<= v9.3.4). This flaw…

Ali İltizar

~2 min read · April 13, 2026 (Updated: April 13, 2026) · Free: Yes

In this article, I will detail an Authenticated Remote Code Execution (RCE) vulnerability I discovered in EspoCRM (<= v9.3.4). This flaw allows an attacker with administrative privileges to gain full control over the underlying operating system by bypassing traditional application boundaries through the extension installation mechanism.

⚠️Detailed Technical Blog: iltosec.com — Full Writeup

Summary

EspoCRM (v9.3.4) allows administrative users to upload and install extensions. A vulnerability exists where a specially crafted extension package can include a script (BeforeInstall.php) that is executed by the server during the installation process. Since there is no validation or sandboxing of this script, an attacker with admin privileges can execute arbitrary PHP code and OS commands on the server.

Vendor Status

The vendor has been notified and stated: "This is an expected behavior." Therefore, this PoC is published for educational purposes and to inform users about the inherent risks of the administrative interface so they can apply necessary server-level hardening.

Proof of Concept Video

You can watch the demonstration of the exploit below:

Proof of Concept

The attack vector is straightforward for anyone familiar with PHP-based CRMs:

Prepare: Create a manifest and a malicious BeforeInstall.php class.
Compress: Zip the malicious files into a standard extension format.
Deploy: Upload via the "Administration > Extensions" panel.
Execute: Click "Install" and watch the server execute the commands.

For the full step-by-step terminal commands and manifest files, please refer to the official PoC on GitHub.

I've documented the full technical details, PoC scripts, and mitigation steps across my platforms:

Detailed Technical Blog: iltosec.com — Full Writeup
Exploit Repository: GitHub — EspoCRM RCE PoC

Impact

Full System Compromise: The attacker gains the ability to execute arbitrary OS commands.
Data Breach: Access to sensitive configuration files allows stealing database credentials and encryption keys.
Persistence: Backdoors can be placed in the public directory for long-term access.
Lateral Movement: The compromised server can act as a pivot point for internal network attacks.

Recommended Mitigation

Verify extension packages using trusted signatures before execution.
Disable Hooks: Provide a configuration option to disable pre/post install scripts.
Introduce a restrictedMode option to disable execution of BeforeInstall.php.
Security Setting: Enable 'adminUpgradeDisabled' => true in high-security deployments to prevent extension uploads entirely.

#rce #cms