Skip to main content

WukongCRM CVE-2025-60828

MEDIUM
Deserialization of Untrusted Data (CWE-502)
2025-10-08 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable fastjson deserialization with a public POC warrants C:H/I:H/A:H; C:N/I:L/A:L in source CVSS likely reflects a partial-impact demonstration, not the exploitability ceiling.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 15:16 vuln.today
CVE Published
Oct 08, 2025 - 14:15 cve.org
MEDIUM 6.5

DescriptionCVE.org

WukongCRM-9.0-JAVA was discovered to contain a fastjson deserialization vulnerability via the /OaExamine/setOaExamine interface.

AnalysisAI

Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).

Technical ContextAI

WukongCRM is a Java-based customer relationship management platform developed by 5kCRM (CPE: cpe:2.3:a:5kcrm:wukong_crm:9.0:*:*:*:*:*:*:*). The root cause is CWE-502 (Deserialization of Untrusted Data) in the Alibaba fastjson library, which is pervasive in Chinese Java ecosystems. Fastjson's AutoType feature resolves Java class names from a JSON @type field at parse time; when not restricted by a denylist or allowlist, attacker-supplied @type values can instantiate arbitrary classes whose constructors or property setters act as gadget-chain entry points. The vulnerable endpoint /OaExamine/setOaExamine belongs to WukongCRM's OA examination workflow module and appears to deserialize user-supplied JSON without adequate type validation, allowing exploitation of whichever dangerous gadget classes (e.g., from commons-collections, spring-core, or similar) are present on the server's runtime classpath.

RemediationAI

No vendor-released patch has been identified at time of analysis - available references point exclusively to researcher POC writeups at https://gist.github.com/ChangeYourWay/424478421d6a78d1f87d324cddcbfd59 and https://github.com/ChangeYourWay/post/blob/main/WukongCRM-9.0-JAVA.md, not a vendor fix. As an immediate compensating control, restrict network access to the /OaExamine/setOaExamine endpoint via WAF rules or reverse-proxy ACLs - the trade-off is that the OA examination workflow will be unavailable to blocked network segments. If the underlying fastjson library version can be identified and upgraded, fastjson 1.2.83 or later with AutoType disabled (ParserConfig.getGlobalInstance().setAutoTypeSupport(false)) significantly reduces gadget-chain attack surface, though this may break deserialization of existing serialized data and requires regression testing. Organizations should monitor 5kCRM's official channels for a patched release given the public POC availability.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2025-60828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy