# [HIGH] SuiteCRM: PHAR deserialization vulnerability to code execution **Source:** Snyk **Published:** 2021-05-07 **Article:** https://snyk.io/blog/suitecrm-phar-deserialization-vulnerability-to-code-execution/ ## Threat Profile Snyk Blog In this article Written by Sam Sanoop May 7, 2021 0 mins read SuiteCRM is a free and open source Customer Relationship Management application for servers. This advisory details a PHAR deserialization vulnerability that exists in SuiteCRM which could be leveraged by an authenticated administrator to execute commands on the underlying operating system. This issue has been fixed in release 7.11.19. In PHP, PHAR (PHP Archive) files can be used to package PHP applications and PHP librarie… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2020-8801` - **SHA1:** `571cbfa209da4c8280a5359f301115de25b4c6e3` - **MD5:** `6b8f472cd174d02167bc0a0c908ec9e0` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1027** — Obfuscated Files or Information - **T1204.002** — User Execution: Malicious File ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Article-specific behavioural hunt — SuiteCRM: PHAR deserialization vulnerability to code execution `UC_2859_2` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — SuiteCRM: PHAR deserialization vulnerability to code execution ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/tmp/test.txt*" OR Filesystem.file_path="*/var/www/html/uploads*" OR Filesystem.file_path="*/var/www/html/upload/eb7cde01-6190-9ca9-b81b-601998504b41*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — SuiteCRM: PHAR deserialization vulnerability to code execution // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/tmp/test.txt", "/var/www/html/uploads", "/var/www/html/upload/eb7cde01-6190-9ca9-b81b-601998504b41")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2020-8801` - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `571cbfa209da4c8280a5359f301115de25b4c6e3`, `6b8f472cd174d02167bc0a0c908ec9e0` ## Why this matters Severity classified as **HIGH** based on: CVE present, IOCs present, 3 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.