Is there a public PoC exploit available for CVE-2025-7878?

Yes, a public proof-of-concept exploit is available for CVE-2025-7878. Prioritise patching immediately. EPSS: 0.1%.

Metasoft MetaCRM CVE-2025-7878

Q: What is the CVSS score of CVE-2025-7878?

CVE-2025-7878 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-07-20 cna@vuldb.com

Authentication Bypass File Upload Metacrm

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:23 vuln.today

DescriptionCVE.org

A vulnerability, which was classified as critical, was found in Metasoft 美特软件 MetaCRM up to 6.4.2. Affected is an unknown function of the file /common/jsp/upload2.jsp. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitrary files via the /common/jsp/upload2.jsp endpoint, potentially enabling remote code execution or data exfiltration. The vulnerability requires valid user credentials (PR:L) but involves minimal technical complexity (AC:L). Public exploit code is available and the vendor has not responded to early disclosure notifications.

Technical ContextAI

The vulnerability resides in the /common/jsp/upload2.jsp file, a JSP-based upload handler within the MetaCRM web application. The underlying issue is classified as CWE-284 (Improper Access Control), indicating the upload mechanism fails to properly validate or restrict the file parameter, likely missing checks on file type, size, or destination path. This is a classic file upload vulnerability in Java web applications where insufficient input sanitization on the File argument permits uploaders to place malicious content (web shells, executable binaries, or other payloads) in web-accessible directories. The affected product versions through 6.4.2 are identified via CPE cpe:2.3:a:metasoft:metacrm:*:*:*:*:*:*:*:*.

RemediationAI

No vendor-released patch has been identified at time of analysis, and the vendor did not respond to early disclosure. Organizations using MetaCRM should immediately implement network-level access controls: restrict access to the /common/jsp/upload2.jsp endpoint to trusted IP ranges or require VPN connectivity. At the application level, disable the upload feature entirely if not required for business operations, or implement strict file upload validation on the server side (whitelist allowed file extensions, verify MIME types, enforce file size limits, and store uploads outside the web root). Monitor web server logs for suspicious POST requests to upload2.jsp and track file modifications in the upload directory. Consider migrating to a patched version if the vendor releases one, or evaluate alternative CRM solutions if MetaCRM is exposed to untrusted networks. Compensating controls should prioritize network isolation, as application-level fixes require vendor cooperation.

CVE-2025-7878 vulnerability details – vuln.today

Back