Metasoft MetaCRM CVE-2025-7877
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability, which was classified as critical, has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This issue affects some unknown processing of the file sendfile.jsp. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitrary files via the File parameter in sendfile.jsp, potentially enabling remote code execution or data exfiltration. The vulnerability has publicly available exploit code and affects systems with basic user authentication; however, the CVSS score of 2.1 reflects limited confidentiality, integrity, and availability impact in the base score, though exploitability is marked as probable (E:P).
Technical ContextAI
MetaCRM is a customer relationship management system developed by Metasoft. The vulnerability exists in the sendfile.jsp file, a JSP (JavaServer Pages) component commonly used for file handling operations in Java web applications. CWE-284 (Improper Access Control) indicates the root cause is inadequate validation of file upload parameters. The File parameter in sendfile.jsp fails to properly restrict or validate uploaded file types, destinations, or content, allowing authenticated users to bypass intended upload restrictions. This is a direct manipulation vulnerability where attacker-controlled input is processed without sufficient filtering or authorization checks.
RemediationAI
No vendor-released patch is available at this time; Metasoft has not responded to disclosure attempts. Immediate compensating controls are required: (1) Disable or restrict access to sendfile.jsp at the web server level using firewall rules or application configuration, limiting access only to trusted internal networks if the feature is required for business operations. (2) Implement strict file upload validation at the application level: restrict uploaded file extensions to a whitelist (e.g., allow only .pdf, .doc, .txt), enforce file type verification using magic bytes or MIME type detection, and store uploads outside the web root directory to prevent execution. (3) Enforce the principle of least privilege: audit MetaCRM user accounts and remove upload permissions from users who do not require this functionality. (4) Monitor the sendfile.jsp endpoint for suspicious activity: log all file upload attempts, alert on unexpected file types or sizes, and review logs regularly for signs of exploitation. (5) Consider network segmentation: isolate MetaCRM systems from sensitive data stores and limit outbound connections to prevent data exfiltration if a file upload is successfully exploited. Organizations should contact Metasoft directly to request a security patch or consider migration to alternative CRM solutions if no vendor fix is provided within a reasonable timeframe. References: https://vuldb.com/?id.316991, https://github.com/FightingLzn9/vul/blob/main/MetaCRM6-Upload-4.md
Share
External POC / Exploit Code
Leaving vuln.today