A detailed security analysis published by security researcher Mattia "0xbro" Brollo reveals three critical vulnerabilities in vtenext CRM that allow complete unauthenticated takeover of enterprise systems. The flaws affect vtenext 25.02 and earlier versions - a commercial CRM platform used by numerous small and medium businesses across Italy and beyond.
The vulnerability combo is devastating. An unauthenticated attacker can bypass authentication entirely through multiple vectors, escalate to administrative privileges, and achieve remote code execution on the underlying server. I've seen similar CRM compromises cost companies hundreds of thousands in recovery costs, not counting the customer data exposure.
Security researcher Brollo discovered the vulnerabilities while analyzing vtenext's codebase using differential testing approaches. The findings include three distinct authentication bypass vectors, each with different exploitation requirements but leading to the same outcome: complete system compromise.
Authentication Bypass Vector #1: XSS + CSRF + Session Disclosure
The first attack chain exploits a reflected Cross-Site Scripting vulnerability in modules/Home/HomeWidgetBlockList.php. The flaw occurs because widgetId parameters are reflected in server responses without proper sanitization, combined with incorrect Content-Type: text/html headers that allow JavaScript execution.
Making this worse, the application bypasses CSRF token validation through HTTP method tampering. By converting POST requests to GET requests, attackers can completely skip the __csrf_token requirement, making XSS exploitation trivial.
The final piece involves information disclosure in the Touch module (/index.php?module=Touch&action=ws) that exposes PHPSESSID values despite HttpOnly protection. This creates a complete attack chain: XSS → session theft → account takeover.
Authentication Bypass Vector #2: SQL Injection + Token Extraction
The second vector exploits multiple SQL injection vulnerabilities in modules/Fax/EditView.php. The application builds database queries by directly concatenating user input, making prepared statements completely useless.
Here's the clever part: attackers can extract password reset tokens from the vte_userauthtoken table using SQL injection subqueries. Once they have a valid reset token for any user, they can set arbitrary passwords and log in as that user.
The injection occurs in queries like:
select (select token from vte_userauthtoken where userid=1) from vte_users where id=1;
This bypasses the need to crack password hashes - attackers get direct access to password reset mechanisms.
Authentication Bypass Vector #3: Arbitrary Password Reset
This is the nastiest one. The hub/rpwd.php password reset endpoint contains a critical flaw that allows resetting any user's password with only their username. No user interaction required.
The vulnerability lies in the displayChangePwd() function which accepts arbitrary usernames and new passwords through the change_password action. The function calls password update routines with skipOldPwdCheck = true, completely bypassing current password verification.
According to the researcher, vtenext silently patched this specific vulnerability in version 25.02.1 released July 24th, 2025, but the other attack vectors remain unpatched.
Remote Code Execution Post-Compromise
Once authenticated, attackers have multiple paths to code execution:
Local File Inclusion vulnerabilities exist in multiple locations including LayoutBlockListUtils.php, ActivityAjax.php, and wdCalendar.php. These can be exploited with path traversal to include system files or use techniques like the pearcmd.php gadget for arbitrary file creation.
Module upload functionality allows administrators to install custom modules containing PHP code. Since the authentication bypass grants admin privileges, attackers can upload web shells disguised as legitimate modules.
Vendor Response Disaster
The vendor response has been absolute shit. Despite multiple disclosure attempts since May 2025 through official channels, email, and LinkedIn, vtenext failed to acknowledge the vulnerabilities for over three months. They eventually released a silent patch for one vulnerability without crediting the researcher or notifying customers about the security issues.
After the research was published, vtenext claimed the emails "may have been marked as spam due to the sender's format (0xbro)" - which is corporate bullshit for "we ignored security researchers." They stated some vulnerabilities were already found through their own VAPT activities, but provided no timeline for fixing the remaining issues.
Real-World Impact
vtenext is used by numerous companies, particularly in Italy. Internet scanning data shows significant exposure of vtenext installations across the internet. The platform handles sensitive customer relationship data, financial information, and business processes - making these vulnerabilities particularly dangerous for small and medium businesses that typically lack robust incident response capabilities.
The bigger concern: vtenext is based on Vtiger CRM core, meaning other applications derived from the same codebase may share these vulnerabilities, potentially multiplying the affected systems far beyond vtenext's direct user base.