Security researcher Mattia "0xbro" Brollo spent three months trying to get vtenext to fix critical vulnerabilities in their CRM software. The vendor ignored him completely, then quietly patched only one of the three bugs without giving him credit. Two critical flaws are still live in production systems used by thousands of small businesses.
The Attack Chain That Bypasses Everything
Here's how fucked this is: An attacker can completely bypass login on any vtenext CRM installation using a three-step process that works 100% of the time.
First, they abuse a reflected XSS vulnerability in the HomeWidgetBlockList module. The code doesn't sanitize widgetId parameters before reflecting them back with Content-Type: text/html. You can inject JavaScript via POST or GET requests - there's no CSRF token check, so method tampering works perfectly.
Next, they exploit an information disclosure bug in the Touch module that leaks session cookies, completely defeating the HttpOnly flag. A simple <img onerror> payload sends the victim's PHPSESSID to the attacker's server.
Finally, they use the stolen session or escalate via SQL injection in modules/Fax/EditView.php where user-supplied field names get interpolated directly into SQL queries. Even though the code uses prepared statements, they're implemented wrong, so you can extract password reset tokens from the vte_userauthtoken table.
The Password Reset Bug That Breaks Everything
The most devastating vulnerability (patched only in version 25.02.1) is an arbitrary password reset in hub/rpwd.php. Send a POST request to the change_password action with any user_name and confirm_new_password parameters - no token required, no current password verification.
The code directly updates the database with your new password and invalidates existing tokens. Boom, you're admin on someone else's CRM with all their customer data, financial records, and business communications.
Remote Code Execution Via Multiple Paths
Once you're authenticated (especially as admin), getting code execution is trivial through several methods:
Path 1: Local File Inclusion Abuse - Various modules have LFI flaws letting you traverse and include arbitrary PHP files. If the server has PEAR installed, include pearcmd.php to write backdoor scripts directly to the webroot.
Path 2: Malicious Module Upload - Use the legitimate module upload functionality to import a custom module containing a web shell. Social engineer the admin into approving it, and you have persistent access.
Both paths give you full server access to download databases, install backdoors, or pivot to other internal systems. For small businesses without dedicated IT security, this is game over.
Vendor Response: Ignore, Patch Secretly, Blame Email
Brollo's disclosure timeline shows three months of attempted responsible disclosure starting in April 2025. vtenext completely ignored all contact attempts until finally releasing a "silent patch" on July 24th without acknowledgment.
When they finally responded on August 13th, vtenext blamed spam filters for missing the reports and claimed some issues were already fixed during third-party penetration testing. They provided no coordinated disclosure policy and left two of the three vulnerabilities completely unpatched.
This is exactly the kind of vendor response that makes security researchers say fuck it and publish zero-days publicly. When companies ignore researchers for months, public disclosure becomes the only way to force fixes.
Impact: Thousands of Small Businesses at Risk
vtenext CRM is popular among small and medium businesses who can't afford enterprise solutions like Salesforce. These companies often lack dedicated security teams and rely on vendors to handle security properly.
The combination of unauthenticated access, admin escalation, and remote code execution means attackers can:
- Steal all customer data and financial records
- Install persistent backdoors for long-term access
- Use compromised servers for lateral movement into business networks
- Hold data for ransom or sell it on dark markets
Small businesses are increasingly targeted by cybercriminals because they have valuable data but weak security practices. A vulnerability like this is exactly what attackers look for.
What You Need to Do Right Now
If you're running vtenext CRM:
- Update immediately to version 25.02.1 or later - this fixes the password reset bug
- Check your logs for suspicious authentication activity since April 2025
- Reset all admin passwords and revoke existing session tokens
- Review user accounts for unauthorized additions or privilege escalations
- Consider switching CRMs if you can't trust the vendor to handle security properly
For the two unpatched vulnerabilities (XSS/session hijacking and SQL injection), there's no fix available yet. You'll need to implement web application firewall rules or consider migrating to a more secure platform.
