LiveActive security incident?Get immediate response
CVE Record

CVE-2018-25357: Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php

Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter.

CriticalCVSS 9.8Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

Dolibarr ERP CRM 7.0.3 has a critical flaw in its web installer that lets anyone on the network run commands on the server without logging in. If the installer page is reachable, an attacker can take over the system, steal business data, or use it as a foothold in the network.

Executive priority

High-priority patching and exposure check. A public exploit targets an ERP/CRM platform that typically holds customer, financial, and HR data; a compromised host can lead to data theft, fraud, or ransomware staging. Fixing exposure is inexpensive relative to breach cost.

Technical view

Per VulnCheck and ExploitDB-44964, unauthenticated attackers POST attacker-controlled PHP to the db_name parameter of install/step1.php on Dolibarr 7.0.3. The value is written into a configuration file that is later included, yielding code execution. A follow-up GET to check.php with a cmd parameter runs OS commands. Mapped to CWE-94 (code injection); CVSS 9.8 (AV:N/AC:L/PR:N/UI:N).

Likely exposure

Highest for Dolibarr 7.0.3 instances whose install/ directory was left reachable after setup, or hosts left mid-install. Internet-exposed ERP portals, developer/staging copies, and container images that ship the installer are the most likely targets. Long-lived legacy deployments still on 7.0.3 are especially at risk.

Exploitation context

A public proof-of-concept exists on ExploitDB (44964) and VulnCheck has published an advisory, so exploitation is trivial for anyone who finds an exposed installer. CISA KEV does not currently list this CVE, and no confirmed in-the-wild campaign is cited in the provided sources. Treat the public PoC as sufficient reason to act quickly.

Researcher notes

CWE-94 code injection via install/step1.php db_name parameter, chained with check.php cmd execution. Version data in the bundle only lists "0" for affected versions, but the title, description, VulnCheck advisory, and ExploitDB PoC specifically call out 7.0.3; confirm scope against vendor changelog before generalizing. Not on CISA KEV as of the source bundle. No fixed version is cited in these sources — validate against dolibarr.org release notes.

Mitigation direction

  • Block or delete the install/ directory on all Dolibarr hosts after setup completes.
  • Restrict access to Dolibarr admin and installer paths to trusted IPs via WAF or reverse proxy.
  • Upgrade Dolibarr away from 7.0.3 to a currently supported release per vendor guidance at dolibarr.org.
  • Rotate database credentials and app secrets on any host where installer exposure is suspected.
  • Add detections for POSTs to install/step1.php and GETs to check.php with a cmd parameter.

Validation and detection

  • Inventory all Dolibarr deployments and confirm running version; flag any at 7.0.3 or earlier.
  • Check whether install/step1.php and install/check.php are reachable from untrusted networks.
  • Review web server access logs for POSTs to install/step1.php and cmd= queries to check.php.
  • Inspect Dolibarr config files (conf/conf.php) for unexpected PHP content in database name fields.
  • Search hosts for unexpected outbound connections or web-shell artifacts under the Dolibarr web root.
Prepared
Confidence
medium
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-94: Code execution behavior lookup

Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-25357 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
3Timeline events
1ADP providers
5Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9VulnCheck
9.3CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NVulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

9.3Critical
CVSS 4.0 vector shape for CVE-2018-25357Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
DolibarrDolibarr ERP CRM0Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-94 · source CWE mapping

Improper Control of Generation of Code ('Code Injection')

Improper Control of Generation of Code ('Code Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.