PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25357 Dolibarr CVE debrief

A critical remote code execution vulnerability exists in Dolibarr ERP CRM 7.0.3. The vulnerability allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious payloads through the db_name parameter during the installation process. The attack vector involves sending a POST request to install/step1.php with crafted PHP code in the db_name parameter, followed by command execution via the check.php endpoint using the cmd GET parameter. This represents a severe security flaw as it permits complete system compromise without authentication requirements. The vulnerability was disclosed in 2018 but received updated NVD entries in May 2026. Organizations running affected versions should prioritize patching and restrict access to installation endpoints.

Vendor
Dolibarr
Product
Dolibarr ERP CRM
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-23
Original CVE updated
2026-05-27
Advisory published
2026-05-23
Advisory updated
2026-05-27

Who should care

Organizations running Dolibarr ERP CRM 7.0.3 or earlier versions; system administrators responsible for Dolibarr deployments; security teams monitoring for unauthenticated remote code execution vulnerabilities in PHP-based business applications; incident responders investigating potential compromises of Dolibarr installations

Technical summary

The vulnerability exists in the installation wizard component of Dolibarr ERP CRM 7.0.3. The install/step1.php endpoint accepts user-supplied input for database configuration without adequate sanitization of the db_name parameter. This parameter is processed in a context where PHP code evaluation may occur, enabling attackers to inject and execute arbitrary PHP code. The check.php endpoint subsequently provides a mechanism for command execution through the cmd GET parameter, completing the exploitation chain. The attack requires no authentication and can be executed remotely over the network.

Defensive priority

critical

Recommended defensive actions

  • Immediately upgrade Dolibarr ERP CRM to a patched version beyond 7.0.3
  • Restrict network access to /install/ directory endpoints to authorized administrators only
  • Remove or disable installation scripts after initial deployment
  • Monitor web server logs for POST requests to install/step1.php with suspicious db_name parameter content
  • Implement Web Application Firewall rules to detect and block PHP code patterns in database configuration parameters
  • Review and validate that check.php endpoint is not exposed to untrusted networks
  • Conduct forensic analysis if exploitation is suspected, focusing on web server access logs and any unauthorized administrative access
  • Apply principle of least privilege to web server processes running Dolibarr applications

Evidence notes

Vulnerability confirmed through official CVE record and NVD database. Exploit details documented in Exploit-DB entry 44964 and VulnCheck advisory. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high impact across confidentiality, integrity, and availability dimensions.

Official resources

public