Popular Business Software Bug Lets Hackers X-Ray Your Company's Internal Network

A single malicious web request can now give hackers a detailed map of your company's internal network, including servers, databases, and devices that should never be visible to the outside world.

What's happening

Security researchers have discovered a critical vulnerability in Krayin CRM, a customer relationship management platform used by thousands of businesses worldwide. The flaw allows remote attackers to force the software to scan and probe internal company networks, potentially exposing sensitive systems like payroll databases, security cameras, and administrative panels that companies assume are safely hidden behind their firewalls.

This isn't just about data theft—it's about reconnaissance. Attackers can use this vulnerability to create detailed maps of internal networks, identifying valuable targets for future attacks without ever setting foot inside a building or connecting to a company's WiFi.

How the attack works

The vulnerability exists in Krayin's webhook creation feature, which is designed to let the software communicate with other business tools. Think of webhooks like automated phone calls between different software systems—when something happens in one system, it automatically notifies another.

Here's where things go wrong: when setting up these automated notifications, the software doesn't properly validate where those "calls" are being made. An attacker can trick the system into making requests to internal company resources instead of legitimate external services. It's like convincing your office phone system to automatically dial every extension in your building and report back what answers—except the person giving the commands is sitting in a coffee shop across town.

The attacker sends a specially crafted request to the webhook creation endpoint, supplying internal network addresses instead of external ones. The CRM software dutifully attempts to connect to these internal resources, sending the results back to the attacker. In minutes, they can map out internal servers, databases, and other connected devices.

The technical reality

The vulnerability, tracked as CVE-2026-38527, is a Server-Side Request Forgery (SSRF) flaw in the /settings/webhooks/create component with a CVSS score of 8.5 (High severity). Researchers can trigger the vulnerability by sending POST requests with internal network addresses to the webhook creation endpoint, effectively turning the CRM server into a proxy for internal network reconnaissance.

Who is at risk

Any organization running Krayin CRM version 2.2.x is potentially vulnerable. This includes small businesses, enterprise customers, and managed service providers who host the software for multiple clients. The risk is particularly high for organizations that run Krayin on servers with access to sensitive internal networks, which is common in typical business deployments.

Companies using cloud deployments may have some protection if their network segmentation is properly configured, but many organizations run business software with broad internal network access for convenience and integration purposes.

What you should do right now

1. Identify your Krayin installations immediately. Check with your IT team or service providers to determine if you're running Krayin CRM v2.2.x. Look for any Krayin instances that might be hosted on servers with access to internal networks.

2. Implement network restrictions as an emergency measure. Until patches are available, restrict the CRM server's ability to make outbound requests to internal network ranges (typically 192.168.x.x, 10.x.x.x, and 172.16-31.x.x). Configure firewalls or network policies to block these connections from Krayin servers.

3. Monitor for suspicious webhook activity. Review your Krayin logs for unusual webhook creation attempts, especially those targeting internal IP addresses or localhost connections. Set up alerts for POST requests to /settings/webhooks/create that contain private IP address ranges in the payload.