CVE-2025-67886

Name of the Vulnerable Software and Affected Versions Bitrix24 versions prior to 25.100.301

Description Remote Code Execution is possible because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. The supplier disputes this issue, stating it is intended behavior for high-privileged users who upload new translated pages to the website.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.