Is there a public PoC exploit available for CVE-2025-7876?

Yes, a public proof-of-concept exploit is available for CVE-2025-7876. Prioritise patching immediately. EPSS: 0.1%.

Metasoft MetaCRM CVE-2025-7876

Q: What is the CVSS score of CVE-2025-7876?

CVE-2025-7876 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Input Validation (CWE-20)

2025-07-20 cna@vuldb.com

Deserialization Metacrm

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:23 vuln.today

DescriptionCVE.org

A vulnerability classified as critical was found in Metasoft 美特软件 MetaCRM up to 6.4.2. This vulnerability affects the function AnalyzeParam of the file download.jsp. The manipulation of the argument p leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote code execution in Metasoft MetaCRM through 6.4.2 allows authenticated remote attackers to execute arbitrary code via unsafe deserialization of the 'p' parameter in the AnalyzeParam function of download.jsp. Publicly available exploit code exists; CVSS 2.1 score reflects required authentication (PR:L) and limited technical impact scope, but exploitation probability is marked as probable (E:P). Vendor did not respond to early disclosure notification.

Technical ContextAI

The vulnerability exploits unsafe Java object deserialization (CWE-20: Improper Input Validation) in the AnalyzeParam function processing the 'p' parameter from download.jsp. When a logged-in user submits a crafted request with a malicious serialized Java object, the application deserializes it without proper validation, enabling arbitrary code execution. The attack vector is HTTPS/HTTP (AV:N), and network-level access is sufficient; however, authentication as a valid user (PR:L) is required. This is a common pattern in legacy Java web applications where user-controlled input is directly deserialized without gadget chain filtering or serialization filters.

RemediationAI

Upgrade Metasoft MetaCRM to a patched version released after 6.4.2; contact the vendor directly for patch availability and timeline. If immediate patching is unavailable, implement the following compensating controls: restrict network access to download.jsp to trusted IP addresses or internal networks only via firewall or WAF rules; enforce strong multi-factor authentication for all MetaCRM user accounts to reduce credential compromise likelihood; disable or restrict access to the AnalyzeParam function if not operationally required; monitor and log all requests to download.jsp with serialized object payloads using Web Application Firewall (WAF) rules or intrusion detection signatures; apply Java serialization filters (JEP 290) at the application level if source code modification is possible. Note that restricting network access or WAF filtering introduces operational risk if legitimate users require remote access, and should be tested thoroughly before deployment.

CVE-2025-7876 vulnerability details – vuln.today

Back