CVE-2025-67886
MEDIUM
6,3
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: low
Description
AI Translation Available
Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,0004
Percentile
0,1th
Updated
EPSS Score Trend (Last 5 Days)
434
Unrestricted Upload of File with Dangerous Type
DraftCommon Consequences
Security Scopes Affected:
Integrity
Confidentiality
Availability
Potential Impacts:
Execute Unauthorized Code Or Commands
Applicable Platforms
Languages:
ASP.NET, Not Language-Specific, PHP
Technologies:
AI/ML, Web Server
https://seclists.org/fulldisclosure/2025/Dec/21
http://seclists.org/fulldisclosure/2025/Dec/21
https://dev.1c-bitrix.ru/api_help/translate/index.php
https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055
https://karmainsecurity.com/pocs/CVE-2025-67886.php
https://seclists.org/fulldisclosure/2025/Dec/21
https://www.bitrix24.com/self-hosted/