An authenticated Remote Code Execution (RCE) vulnerability in Twenty CRM allows attackers to execute arbitrary OS commands on the database server.

This is a critical RCE vulnerability involving a chained SQL injection and PostgreSQL COPY TO PROGRAM attack. An authenticated user can inject malicious SQL through the unsanitized timeZone parameter in the REST API, resulting in arbitrary command execution if the database service runs with superuser privileges.

The vulnerability poses a severe risk to organizational data integrity and system availability. With a CVSS score of 9.9, this flaw allows for complete system compromise, enabling attackers to extract sensitive CRM data or pivot into the internal network. Successful exploitation could lead to catastrophic reputational damage and prolonged operational downtime.

Immediate Action: Upgrade Twenty CRM to a patched version that sanitizes the timeZone input parameter.

Proactive Monitoring: Review database query logs for anomalous COPY TO PROGRAM syntax or unusual SQL injection patterns within the REST API.

Compensating Controls: Implement strict input validation at the Web Application Firewall (WAF) level to block suspicious SQL queries containing command execution patterns.

Public Exploit Available: false

Given the critical nature of this RCE vulnerability and the potential for full system takeover, immediate patching is mandatory. Administrators must prioritize updating Twenty CRM and auditing current database user permissions to adhere to the principle of least privilege, ensuring the application does not run as a database superuser.