WukongCRM CVE-2025-60828
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Unauthenticated network-reachable fastjson deserialization with a public POC warrants C:H/I:H/A:H; C:N/I:L/A:L in source CVSS likely reflects a partial-impact demonstration, not the exploitability ceiling.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
WukongCRM-9.0-JAVA was discovered to contain a fastjson deserialization vulnerability via the /OaExamine/setOaExamine interface.
AnalysisAI
Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).
Technical ContextAI
WukongCRM is a Java-based customer relationship management platform developed by 5kCRM (CPE: cpe:2.3:a:5kcrm:wukong_crm:9.0:*:*:*:*:*:*:*). The root cause is CWE-502 (Deserialization of Untrusted Data) in the Alibaba fastjson library, which is pervasive in Chinese Java ecosystems. Fastjson's AutoType feature resolves Java class names from a JSON @type field at parse time; when not restricted by a denylist or allowlist, attacker-supplied @type values can instantiate arbitrary classes whose constructors or property setters act as gadget-chain entry points. The vulnerable endpoint /OaExamine/setOaExamine belongs to WukongCRM's OA examination workflow module and appears to deserialize user-supplied JSON without adequate type validation, allowing exploitation of whichever dangerous gadget classes (e.g., from commons-collections, spring-core, or similar) are present on the server's runtime classpath.
RemediationAI
No vendor-released patch has been identified at time of analysis - available references point exclusively to researcher POC writeups at https://gist.github.com/ChangeYourWay/424478421d6a78d1f87d324cddcbfd59 and https://github.com/ChangeYourWay/post/blob/main/WukongCRM-9.0-JAVA.md, not a vendor fix. As an immediate compensating control, restrict network access to the /OaExamine/setOaExamine endpoint via WAF rules or reverse-proxy ACLs - the trade-off is that the OA examination workflow will be unavailable to blocked network segments. If the underlying fastjson library version can be identified and upgraded, fastjson 1.2.83 or later with AutoType disabled (ParserConfig.getGlobalInstance().setAutoTypeSupport(false)) significantly reduces gadget-chain attack surface, though this may break deserialization of existing serialized data and requires regression testing. Organizations should monitor 5kCRM's official channels for a patched release given the public POC availability.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today