Cyber Posture

CVE-2026-29103

Critical

Published: 19 March 2026

Published
19 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0035 57.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. A Critical Remote Code Execution (RCE) vulnerability exists in SuiteCRM 7.15.0 and 8.9.2, allowing authenticated administrators to execute arbitrary system commands. This vulnerability is a direct Patch Bypass of…

more

CVE-2024-49774. Although the vendor attempted to fix the issue in version 7.14.5, the underlying flaw in ModuleScanner.php regarding PHP token parsing remains. The scanner incorrectly resets its internal state ($checkFunction flag) when encountering any single-character token (such as =, ., or ;). This allows attackers to hide dangerous function calls (e.g., system(), exec()) using variable assignments or string concatenation, completely evading the MLP security controls. Versions 7.15.1 and 8.9.3 patch the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the RCE vulnerability by requiring timely patching of affected SuiteCRM versions 7.15.0 and 8.9.2 to the fixed releases 7.15.1 and 8.9.3.

SI-10 Information Input Validation good match
prevent

Prevents code injection exploitation by mandating robust validation of PHP module inputs to the ModuleScanner, countering token parsing flaws that allow evasion of dangerous function detection.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Identifies the presence of this specific CVE in deployed SuiteCRM instances through vulnerability scanning, enabling proactive flaw remediation.

Security SummaryAI

CVE-2026-29103 is a critical remote code execution (RCE) vulnerability in SuiteCRM, an open-source enterprise Customer Relationship Management (CRM) software. It affects versions 7.15.0 and 8.9.2 due to a direct patch bypass of CVE-2024-49774 in the ModuleScanner.php component. The underlying issue involves flawed PHP token parsing, where the scanner incorrectly resets its internal $checkFunction flag upon encountering single-character tokens such as '=', '.', or ';'. This flaw enables attackers to hide dangerous function calls like system() or exec() using variable assignments or string concatenation, fully evading the MLP security controls. The vulnerability is rated 9.1 on CVSS 3.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-94 (Code Injection) and CWE-358 (Improperly Implemented Security Check).

Authenticated administrators can exploit this vulnerability remotely with low complexity to execute arbitrary system commands on the server. By crafting inputs that leverage the token parsing flaw, attackers bypass the intended protections from the prior patch attempt in version 7.14.5, achieving high impacts across confidentiality, integrity, and availability in a changed scope environment.

SuiteCRM versions 7.15.1 and 8.9.3 address the issue with a proper fix. Mitigation details are available in the vendor's release notes at https://docs.suitecrm.com/admin/releases/7.15.x and the GitHub security advisory at https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-5jjq-9qch-9rg7.

Details

CWE(s)
CWE-94CWE-358

Affected Products

suitecrm
suitecrm
≤ 7.15.1 · 8.0.0 — 8.9.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Critical RCE in public-facing web application (SuiteCRM) via flawed PHP token parsing bypass in ModuleScanner, enabling arbitrary system/exec command execution on the server.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References