CVE-2022-37181
Description
72crm 9.0 has an Arbitrary file upload vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
72crm 9.0 allows arbitrary file upload via the logo upload functionality, leading to remote code execution.
Vulnerability
72crm 9.0 (also known as 72wukong 9.0) contains an arbitrary file upload vulnerability in the enterprise management background logo upload feature. The vulnerable code resides in application\admin\controller\System.php at line 51, where file validation is missing and the upload is performed directly. The move function (line 352) generates a filename with a .php suffix based on the current time, and move_uploaded_file is called with this filename (in thinkphp\library\think\File.php line 369). The vulnerability affects 72crm v9 on any platform, with the reporter testing on Windows 10, PHP 5.6.9, and Apache 2.4.39 [1].
Exploitation
To exploit, an attacker must have administrative access to the 72crm backend (able to navigate to the enterprise management background). The steps are: (1) log in as an admin, (2) go to the enterprise management background and click the logo upload option, (3) intercept the upload request with a proxy (e.g., Burp Suite), (4) modify the uploaded file content to contain malicious PHP code, (5) forward the request, (6) access the uploaded file's URL directly. Since the logo is publicly accessible, even unauthenticated users can reach the uploaded PHP file after it is placed [1].
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the server with the privileges of the web server user. This leads to full compromise of the 72crm installation, including potential data theft, site defacement, or further lateral movement within the network. The impact is high because the uploaded file is web-accessible and the code runs in the context of the application [1].
Mitigation
As of the publication date (2022-08-24), no official patch or fixed version has been released for 72crm 9.0. The vendor has not addressed the issue in the referenced GitHub issue [1]. Users should restrict administrative access to the backend, implement a web application firewall (WAF) to block file uploads with non-image extensions, and manually add file type validation to the vulnerable upload endpoint. If possible, upgrade to a later version if and when a fix becomes available. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the last check.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- 72crm/72crmdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/72wukong/72crm-9.0-PHP/issues/35mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.