PhreeBooks ERP 5.2.3 Remote Code Execution via Image Manager

Vulnerability

PhreeBooks ERP version 5.2.3 contains a remote code execution vulnerability in the image manager component. The image manager fails to properly validate file extensions, allowing authenticated attackers to upload arbitrary PHP files. This is a classic unrestricted file upload flaw (CWE-434). Affected versions are PhreeBooks ERP <= 5.2.3 [2][4].

Exploitation

An attacker must have a valid authentication session (low-privileged user credentials) to access the image manager endpoint. The attacker uploads a malicious PHP file (e.g., webshell) with a .php extension that bypasses the inadequate extension controls. Once uploaded, the attacker can access the file directly via the web server to achieve code execution [2][4]. The exploit is publicly available on Exploit-DB, providing a step-by-step Python script that uploads a PHP payload and triggers a reverse shell or system commands [2].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the underlying server, establishing a reverse shell and executing arbitrary system commands. This leads to full compromise of confidentiality, integrity, and availability of the ERP system and potentially the host operating system, depending on web server privileges [2][4]. The CVSS v4 score is 9.0 (Critical) [4].

Mitigation

No official patch has been released by PhreeSoft, as the company announced closure effective May 31, 2026 [3]. Users are advised to migrate to the stand-alone Bizuno fork on GitHub (bizuno.com) or discontinue use of PhreeBooks ERP [3]. As of the publication date (2026-03-24), no workaround has been provided by the vendor. The vulnerability is not listed in CISA KEV as of this writing.