Is there a public PoC exploit available for CVE-2025-7873?

Yes, a public proof-of-concept exploit is available for CVE-2025-7873. Prioritise patching immediately. EPSS: 0.1%.

Metasoft MetaCRM CVE-2025-7873

Q: What is the CVSS score of CVE-2025-7873?

CVE-2025-7873 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-07-20 cna@vuldb.com

SQLi Metacrm

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:23 vuln.today

DescriptionCVE.org

A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file mcc_login.jsp. The manipulation of the argument workerid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to execute arbitrary SQL commands via the workerid parameter in mcc_login.jsp, with publicly available exploit code disclosed after vendor non-response. Despite a CVSS score of 2.1, the vulnerability requires prior authentication (PR:L) and offers only limited confidentiality/integrity impact (VC:L/VI:L), making real-world exploitation risk significantly lower than the critical severity designation suggests.

Technical ContextAI

The vulnerability exists in the mcc_login.jsp file, a Java Server Page component within MetaCRM's authentication layer. The attack vector targets the workerid parameter, which is processed unsafely in SQL query construction without proper input validation or parameterized query use, resulting in classic SQL injection (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component). MetaCRM is an enterprise customer relationship management platform by Metasoft (美特软件), commonly deployed in business environments. The network-accessible JSP endpoint combined with insufficient input sanitization creates a post-authentication SQL injection point.

RemediationAI

No vendor-released patch has been identified at time of analysis, as Metasoft did not respond to early disclosure notification. Organizations should immediately audit and restrict access to the mcc_login.jsp endpoint via network controls (firewall rules, WAF policies, or reverse proxy ACLs) to limit exposure to trusted internal networks only. Implement SQL input validation and Web Application Firewall (WAF) rules to block SQL injection patterns in the workerid parameter (e.g., detect quotes, dashes, comments, UNION keywords). As a temporary compensating control, disable or isolate the MetaCRM deployment until a vendor patch is confirmed available, or migrate to an alternative CRM platform. Monitor database query logs for suspicious SQL patterns and audit user accounts for unauthorized access-adversaries with valid credentials can exploit this flaw. If remaining in production, enforce strict network segmentation and multi-factor authentication to limit the pool of accounts that can reach mcc_login.jsp.

CVE-2025-7873 vulnerability details – vuln.today

Back