CVE-2025-67887

Name of the Vulnerable Software and Affected Versions 1C-Bitrix versions prior to 25.100.501

Description The software contains a remote code execution issue within the Translate Module. The application does not properly validate the contents of archive files before unpacking them, allowing attackers to upload and execute arbitrary PHP code by including a PHP file and a specially crafted .htaccess file within an archive. Successful exploitation requires SOURCE and WRITE privileges. Indicators of compromise include requests to the following API endpoints: '/bitrix/services/main/ajax.php?action=translate.asset.grabber.extract' and '/bitrix/services/main/ajax.php?action=translate.asset.grabber.apply'. Exploitation involves uploading an archive via the translate.asset.grabber.upload endpoint, which then leads to the activation of a shell.php file in the /upload/tmp/ directory and subsequent command execution.

Recommendations Versions prior to 25.100.501: Check logs for calls to '/bitrix/services/main/ajax.php?action=translate.asset.grabber.extract'. Versions prior to 25.100.501: Check the /upload/tmp directory for PHP files. Versions prior to 25.100.501: Restrict access to the affected API endpoints using Access Control Lists (ACL) or a Web Application Firewall (WAF). Versions prior to 25.100.501: Temporarily disable the Translate module.