A bug in the SugarCRM system allows you to take full control of the server without entering credentials.
The exploit code was published online at the end of December. The exploit is a remote code execution (RCE) authentication bypass. SugarCRM has confirmed the existence of the vulnerability and has already fixed it.
According to Censys, as of January 11, 354 SugarCRM servers were infected (about 12% of the total number of SugarCRM servers). The largest number of infections was in the United States - 90, followed by Germany, Australia and France.
The SugarCRM bulletin states that the vulnerability affected Sugar Sell, Serve, Enterprise, Professional and Ultimate software solutions. This did not affect the Sugar Market software.
The authentication bypass works against the "index.php" directory. After the authentication is bypassed, the attacker gets the cookie, and a secondary POST request is sent to the path "/cache/images/sweet.phar", which downloads a PNG file containing PHP code that will be executed by the server when the file is requested again.
The PHP code is decoded and converted into a web shell, which is a text box that a hacker can use as an interface to run commands on compromised devices.