CVE-2026-12116
Xerte · Xerte Online Tools
A code injection vulnerability in Xerte Online Tools allows unauthenticated attackers to achieve Remote Code Execution (RCE) by manipulating the antivirus binary path to execute arbitrary PHP code.
Executive summary
A critical remote code execution vulnerability in Xerte Online Tools allows unauthenticated attackers to fully compromise the host system by injecting and executing malicious PHP payloads.
Vulnerability
This vulnerability stems from improper control of code generation (CWE-94), where an unauthenticated attacker can modify the antivirus binary path within the tools server settings to point to a PHP interpreter, facilitating arbitrary code execution.
Business impact
Successful exploitation of this vulnerability grants an attacker full control over the affected server, leading to potential data exfiltration, service disruption, and lateral movement within the network. With a CVSS score of 9.8, this flaw represents a critical risk that could result in total system compromise and severe reputational damage.
Remediation
Immediate Action: Upgrade Xerte Online Tools to version 3.15.5 or 3.14.6 immediately to resolve the vulnerable configuration path handling.
Proactive Monitoring: Review server logs for anomalous modifications to application settings or unexpected execution of PHP files originating from the tools directory.
Compensating Controls: Deploy a Web Application Firewall (WAF) to block suspicious requests targeting server configuration endpoints and restrict access to the administration interface to trusted IP ranges.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability presents a severe risk due to the ease of unauthenticated remote code execution. Organizations should prioritize the application of the vendor-provided patches immediately to mitigate the risk of unauthorized system access and potential full-scale compromise.