CVE-2018-25357: Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php
Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.
Security readout for executives and security teams
Plain-English summary
Dolibarr ERP CRM 7.0.3 has a critical flaw in its web installer that lets anyone on the network run commands on the server without logging in. If the installer page is reachable, an attacker can take over the system, steal business data, or use it as a foothold in the network.
Executive priority
High-priority patching and exposure check. A public exploit targets an ERP/CRM platform that typically holds customer, financial, and HR data; a compromised host can lead to data theft, fraud, or ransomware staging. Fixing exposure is inexpensive relative to breach cost.
Technical view
Per VulnCheck and ExploitDB-44964, unauthenticated attackers POST attacker-controlled PHP to the db_name parameter of install/step1.php on Dolibarr 7.0.3. The value is written into a configuration file that is later included, yielding code execution. A follow-up GET to check.php with a cmd parameter runs OS commands. Mapped to CWE-94 (code injection); CVSS 9.8 (AV:N/AC:L/PR:N/UI:N).
Likely exposure
Highest for Dolibarr 7.0.3 instances whose install/ directory was left reachable after setup, or hosts left mid-install. Internet-exposed ERP portals, developer/staging copies, and container images that ship the installer are the most likely targets. Long-lived legacy deployments still on 7.0.3 are especially at risk.
Exploitation context
A public proof-of-concept exists on ExploitDB (44964) and VulnCheck has published an advisory, so exploitation is trivial for anyone who finds an exposed installer. CISA KEV does not currently list this CVE, and no confirmed in-the-wild campaign is cited in the provided sources. Treat the public PoC as sufficient reason to act quickly.
Researcher notes
CWE-94 code injection via install/step1.php db_name parameter, chained with check.php cmd execution. Version data in the bundle only lists "0" for affected versions, but the title, description, VulnCheck advisory, and ExploitDB PoC specifically call out 7.0.3; confirm scope against vendor changelog before generalizing. Not on CISA KEV as of the source bundle. No fixed version is cited in these sources — validate against dolibarr.org release notes.
Mitigation direction
Block or delete the install/ directory on all Dolibarr hosts after setup completes.
Restrict access to Dolibarr admin and installer paths to trusted IPs via WAF or reverse proxy.
Upgrade Dolibarr away from 7.0.3 to a currently supported release per vendor guidance at dolibarr.org.
Rotate database credentials and app secrets on any host where installer exposure is suspected.
Add detections for POSTs to install/step1.php and GETs to check.php with a cmd parameter.
Validation and detection
Inventory all Dolibarr deployments and confirm running version; flag any at 7.0.3 or earlier.
Check whether install/step1.php and install/check.php are reachable from untrusted networks.
Review web server access logs for POSTs to install/step1.php and cmd= queries to check.php.
Inspect Dolibarr config files (conf/conf.php) for unexpected PHP content in database name fields.
Search hosts for unexpected outbound connections or web-shell artifacts under the Dolibarr web root.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-94: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
3Timeline events
1ADP providers
5Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-94 · source CWE mapping
Improper Control of Generation of Code ('Code Injection')
Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.