📄 Description (English)
PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them to establish reverse shell connections and execute system commands.
🤖 AI Executive Summary
PhreeBooks ERP 5.2.3 contains a critical remote code execution vulnerability in its image manager that allows authenticated attackers to bypass file extension controls and upload malicious PHP files. Exploits are publicly available, enabling attackers to execute arbitrary system commands and establish reverse shells. This vulnerability poses an immediate threat to organizations using this ERP system, particularly those managing financial and operational data.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 01:54
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using PhreeBooks ERP 5.2.3 face critical risk, particularly in: (1) Small to medium-sized enterprises (SMEs) in retail, wholesale, and distribution sectors relying on this ERP for inventory and financial management; (2) Government procurement entities and municipalities using legacy ERP systems; (3) Healthcare facilities managing pharmaceutical inventory and billing; (4) Manufacturing and industrial companies in the Eastern Province. The vulnerability allows complete system compromise, data exfiltration of financial records, customer information, and operational disruption. Organizations subject to SAMA regulations (financial institutions) and NCA cybersecurity requirements face significant compliance violations if exploited.
🏢 Affected Saudi Sectors
Retail and E-commerce
Wholesale and Distribution
Small and Medium Enterprises (SMEs)
Government and Public Administration
Healthcare and Pharmaceuticals
Manufacturing and Industrial
Hospitality and Food Service
Education
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1434 - Exploit for Privilege Escalation
T1505 - Server Software Component
T1505.003 - Web Shell
T1071 - Application Layer Protocol
T1059 - Command and Scripting Interpreter
T1059.004 - Unix Shell
T1021 - Remote Services
T1133 - External Remote Services
T1040 - Network Sniffing
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of PhreeBooks ERP 5.2.3 in your environment using network scanning and asset inventory tools
2. Restrict access to the image manager endpoint at the firewall/WAF level to authorized users only
3. Implement IP whitelisting for the image manager functionality
4. Disable the image manager feature if not actively used
5. Review access logs for suspicious file uploads or PHP execution attempts
PATCHING GUIDANCE:
1. Upgrade to PhreeBooks ERP version 5.2.4 or later immediately (verify patch availability with vendor)
2. If upgrade is not immediately possible, apply vendor security patches when released
3. Test patches in non-production environment before deployment
COMPENSATING CONTROLS (if patch unavailable):
1. Implement Web Application Firewall (WAF) rules to block PHP file uploads with double extensions (.php.jpg, .phtml, etc.)
2. Configure web server to prevent PHP execution in upload directories (disable PHP execution in /uploads or image directories)
3. Implement strict file type validation on server-side (whitelist only image MIME types: image/jpeg, image/png, image/gif)
4. Enforce file permission restrictions (644 for uploaded files, no execute permissions)
5. Implement comprehensive logging and alerting for image manager activities
6. Conduct daily review of uploaded files for suspicious content
DETECTION RULES:
1. Monitor for POST requests to image manager endpoints with suspicious file extensions
2. Alert on PHP file uploads or execution attempts in image directories
3. Track failed file extension validation attempts
4. Monitor for reverse shell indicators (outbound connections on ports 4444, 5555, 8888, etc.)
5. Log and alert on unusual process execution from web server user context
6. Implement YARA rules to detect PHP webshell patterns in uploaded files
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ PhreeBooks ERP 5.2.3 في بيئتك باستخدام أدوات المسح والجرد
2. تقييد الوصول إلى نقطة نهاية مدير الصور على مستوى جدار الحماية/WAF للمستخدمين المصرحين فقط
3. تطبيق قائمة بيضاء للعناوين IP لوظيفة مدير الصور
4. تعطيل ميزة مدير الصور إذا لم تكن قيد الاستخدام النشط
5. مراجعة سجلات الوصول للتحقق من محاولات التحميل أو تنفيذ PHP المريبة
إرشادات التصحيح:
1. الترقية إلى PhreeBooks ERP الإصدار 5.2.4 أو أحدث فوراً
2. إذا لم تكن الترقية ممكنة فوراً، طبق تصحيحات الأمان من المورد عند إصدارها
3. اختبر التصحيحات في بيئة غير الإنتاج قبل النشر
عناصر التحكم البديلة:
1. تطبيق قواعد جدار تطبيقات الويب لحظر تحميل ملفات PHP بامتدادات مزدوجة
2. تكوين خادم الويب لمنع تنفيذ PHP في دلائل التحميل
3. تطبيق التحقق الصارم من نوع الملف على جانب الخادم
4. فرض قيود أذونات الملفات (644 للملفات المحملة، بدون أذونات التنفيذ)
5. تطبيق السجلات والتنبيهات الشاملة لأنشطة مدير الصور
6. إجراء مراجعة يومية للملفات المحملة للكشف عن المحتوى المريب
قواعد الكشف:
1. مراقبة طلبات POST إلى نقاط نهاية مدير الصور بامتدادات ملفات مريبة
2. التنبيه على تحميل أو تنفيذ ملفات PHP في دلائل الصور
3. تتبع محاولات التحقق من امتداد الملف الفاشلة
4. مراقبة مؤشرات reverse shell
5. تسجيل والتنبيه على تنفيذ العمليات غير المعتادة
6. تطبيق قواعد YARA للكشف عن أنماط webshell في الملفات المحملة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.4.1 - Event logging and monitoring of system access
ECC 2024 A.14.2.1 - Secure development policy and procedures
ECC 2024 A.14.2.5 - Secure development environment
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and inventory
SAMA CSF PR.AC-1 - Access control and authentication
SAMA CSF PR.DS-2 - Data security and protection
SAMA CSF DE.CM-1 - Detection and monitoring
SAMA CSF RS.RP-1 - Response planning
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.3 - Removable media
ISO 27001:2022 A.12.2 - Logging
ISO 27001:2022 A.12.6 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2 - Secure development
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.8 - Improper access control
PCI DSS 10.2 - Logging and monitoring
PCI DSS 11.3 - Vulnerability scanning
🔗 References & Sources 4
🔗
https://sourceforge.net/projects/phreebooks/
disclosure@vulncheck.com
Product
🔗
https://www.exploit-db.com/exploits/46645
disclosure@vulncheck.com
Exploit
Third Party Advisory
VDB Entry
🔗
https://www.phreesoft.com/
disclosure@vulncheck.com
Product
🔗
https://www.vulncheck.com/advisories/phreebooks-erp-remote-code-execution-via-image-man...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
phreesoft:phreebookserp:5.2.3