Exploit code was published on the network at the end of December. Explosion is a bypass of authentication with the remote code (RCE). SUGARCRM confirmed the presence of vulnerability and has already corrected it .
According to Censys, as of January 11, 354 SUGARCRM servers (about 12% of the total number of SUGARCRM servers) were infected. The largest amount of infection was in the USA – 90 pcs, then Germany, Australia and France followed.
SUGARCRM ballot says that the vulnerability has affected the SUGAR SELL, SERVE, ENTERPRISE, Professional and Ultimate software solutions. This did not affect Sugar Market.
Authentication bypassing the “Index.php” catalog. After the authentication is bypassed, the attacker receives a cookie file, and the secondary post-call is sent along the path “/cache/images/sweet.phar”, which loads the PNG file containing a php code that will be performed by the server when the file is re-request. P>
PHP code is decoded and converted into a web-piece, which is a text window that a hacker can use as an interface to launch commands on compromised devices.