CVE-2025-67887 Overview
CVE-2025-67887 affects 1C-Bitrix versions through 25.100.500. The flaw allows Remote Code Execution (RCE) when an actor holds SOURCE/WRITE permissions for the Translate Module. An authenticated user with those privileges can upload a PHP file together with an .htaccess file, then trigger execution of arbitrary code on the server.
The issue is classified under CWE-94 (Improper Control of Generation of Code). The supplier disputes the report, stating that file upload through the Translate Module is intended behavior for high-privileged administrators who manage translated pages.
Critical Impact
An authenticated administrator with Translate Module write access can upload PHP and .htaccess files to gain arbitrary code execution on the underlying web server.
Affected Products
- 1C-Bitrix through 25.100.500
- Bitrix Translate Module (component allowing SOURCE/WRITE file operations)
- Websites deployed on Apache HTTP Server honoring uploaded .htaccess directives
Discovery Timeline
- 2026-05-08 - CVE-2025-67887 published to NVD
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2025-67887
Vulnerability Analysis
The Translate Module in 1C-Bitrix manages language files and translated page content. The module exposes file write primitives to users granted SOURCE or WRITE permissions. These primitives accept file content and a destination path without enforcing extension allow-listing or restricting writes to non-executable directories.
An attacker abuses this design by uploading a .htaccess file that enables PHP execution in the target directory, followed by a .php file containing attacker-controlled code. Requesting the uploaded PHP file through the web server triggers code execution in the context of the web service account.
The vendor disputes the entry, arguing that administrators with Translate Module privileges already control website content and that file write capability is a documented feature. Operators should still treat the path as a meaningful post-authentication escalation from content-management privilege to operating-system command execution.
Root Cause
The root cause is improper control of code generation [CWE-94]. The Translate Module trusts privileged users to supply arbitrary file content and paths, but the application does not constrain uploaded file types or override server-level execution policy in writable directories.
Attack Vector
The attack vector is network-based and requires prior authentication with SOURCE/WRITE permission on the Translate Module. After login, the attacker submits two write requests: one to drop an .htaccess file enabling PHP handling, and a second to drop the PHP payload. A standard HTTP GET against the payload URL executes the code. A public proof-of-concept is published at Karma In Security PoC and on the Full Disclosure Mailing List.
Detection Methods for CVE-2025-67887
Indicators of Compromise
- New or modified .htaccess files inside Bitrix directories writable by the Translate Module, particularly files containing AddHandler, AddType, or SetHandler directives for PHP.
- Unexpected .php files appearing under translation directories such as /bitrix/modules/*/lang/ or /lang/ subtrees.
- HTTP requests to the Bitrix admin interface targeting Translate Module endpoints (fileman_translate.php, translate_* actions) followed by GET requests to newly created PHP paths.
Detection Strategies
- Monitor the web root for file integrity changes on .htaccess and .php files outside scheduled deployment windows.
- Alert on Translate Module API calls performed by accounts that do not normally manage translations.
- Correlate web server access logs to identify a pattern of write operations through the admin panel followed by direct requests to non-standard PHP files.
Monitoring Recommendations
- Enable PHP and Apache audit logging to capture script execution paths and .htaccess reloads.
- Forward web server, application, and authentication logs to a centralized analytics platform for retention and correlation.
- Track privileged Bitrix role assignments, especially grants of SOURCE or WRITE permissions on the Translate Module.
How to Mitigate CVE-2025-67887
Immediate Actions Required
- Audit all Bitrix user accounts and revoke SOURCE/WRITE permissions on the Translate Module from accounts that do not require translation file management.
- Enforce multi-factor authentication for every administrative Bitrix account to limit credential abuse.
- Inventory web-writable directories for unauthorized .htaccess and .php artifacts and quarantine any unexpected files.
Patch Information
The vendor disputes the report and has not issued a patch, stating the behavior is intended for high-privileged users. Operators should consult Bitrix Support and the Bitrix API Documentation for current guidance, and apply hardening at the web server and access-control layers.
Workarounds
- Configure Apache with AllowOverride None on Bitrix content directories so uploaded .htaccess files cannot enable PHP handlers.
- Restrict PHP execution to a fixed allow-list of paths using <FilesMatch> and php_admin_value directives outside .htaccess control.
- Place the Bitrix admin panel behind a VPN or IP allow-list so the Translate Module is unreachable from the public internet.
- Run periodic file integrity scans across translation directories and alert on any new executable content.
# Apache hardening example: prevent uploaded .htaccess from enabling PHP
<Directory "/var/www/bitrix">
AllowOverride None
Require all granted
</Directory>
<DirectoryMatch "/var/www/bitrix/.*/(lang|translate)/">
php_admin_flag engine off
RemoveHandler .php .phtml .php5
RemoveType .php .phtml .php5
</DirectoryMatch>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
