# NULL CATHEDRAL - Perfex-Crm

> https://nullcathedral.com/tags/perfex-crm/
> Generated: 2026-04-10

---

## [Perfex CRM <=3.4.0 allows unauthenticated RCE via insecure deserialization](https://nullcathedral.com/posts/2026-03-16-perfex-crm-unauthenticated-rce-insecure-deserialization/)

**March 16, 2026**

Perfex CRM passed the autologin cookie into unserialize() without validation, giving unauthenticated attackers remote code execution.

Tags: [vulnerability](https://nullcathedral.com/tags/vulnerability/), [perfex-crm](https://nullcathedral.com/tags/perfex-crm/), [deserialization](https://nullcathedral.com/tags/deserialization/), [rce](https://nullcathedral.com/tags/rce/), [php](https://nullcathedral.com/tags/php/)

---