Skip to main content

CISA issues update on Xerte Online Toolkits RCE vulnerabilities

Xerte Online Toolkits contains two vulnerabilities that can lead to remote code execution on the affected server. One issue relates to the persistence of the /setup/ directory after installation and can enable an unauthenticated actor to gain administrative access. The other involves an editable antivirus binary path that can be redirected to a PHP interpreter, allowing uploaded files to execute as PHP code.

CVE-2026-14261 tracks persistence of the /setup/ directory after installation. The issue enables an unauthenticated attacker to reconfigure the application to point to a remote database they control, which allows administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter. In the described workflow, after admin privileges are obtained, the attacker edits the antivirus binary path to point to a PHP interpreter, causing new uploaded files to be passed to the PHP runtime through website_code/php/import/fileupload.php. This bypasses file extension checks and results in remote code execution. During installation, Xerte creates a /setup/ folder to configure database connection settings. This folder persists post-installation without access controls or automatic cleanup, and /setup/index.php does not verify whether installation has completed. The vulnerability enabling CVE-2026-14261 involves authentication bypass and remote code execution via reinstallation through the /setup/ folder by pointing to a remote database they control.

Successful exploitation can allow full remote code execution on the affected server. The advisory states this enables attackers to establish persistent access, exfiltrate data, or launch supply chain attacks by injecting malicious content into educational materials distributed by the platform.

The issues were addressed in two commits: 8fec660 removes /setup/ automatically after installation/upgrade and blocks reuse, and 8ef2062 moves sensitive configuration files, including the antivirus binary path, to server-side locations. The advisory also states users should manually remove the initial installation /setup/ folder from installations. It further states users should upgrade to Xerte v3.15.5 or v3.14.6 and run upgrade.php, which enforces automatic /setup/ removal and includes security hardening. If removal fails, the advisory states the updated code still prevents exploitation.

For additional information and contact data, the advisory provides a blog post at https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update. It also includes acknowledgements thanking the reporter, George Filippov from the Vexel Foundation, and states the document was written by Christopher Cullen. The referenced issues and commits include https://github.com/thexerteproject/xerteonlinetoolkits/issues/1532, https://github.com/thexerteproject/xerteonlinetoolkits/commit/8ef20628f80bd88bd1fe3e5844a9116a910086b7, https://github.com/thexerteproject/xerteonlinetoolkits/commit/8fec6602e80c5d35903d65e65b65b794297d8e90, and https://github.com/thexerteproject/xerteonlinetoolkits/issues/1543.