Is there a public PoC exploit available for CVE-2025-7879?

Yes, a public proof-of-concept exploit is available for CVE-2025-7879. Prioritise patching immediately. EPSS: 0.1%.

Metasoft MetaCRM CVE-2025-7879

Q: What is the CVSS score of CVE-2025-7879?

CVE-2025-7879 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-07-20 cna@vuldb.com

Authentication Bypass File Upload Metacrm

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:23 vuln.today

DescriptionCVE.org

A vulnerability has been found in Metasoft 美特软件 MetaCRM up to 6.4.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file mobileupload.jsp. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 via the mobileupload.jsp endpoint allows authenticated remote attackers to upload arbitrary files with limited integrity and confidentiality impact. The vulnerability has been publicly disclosed with exploit code available on GitHub. Despite early vendor contact, Metasoft has not provided a patch or acknowledgment, leaving deployments unpatched.

Technical ContextAI

The vulnerability exists in the mobileupload.jsp file upload handler in MetaCRM, a customer relationship management system. The File parameter in the mobileupload.jsp endpoint fails to implement proper validation or access controls on uploaded file types and content, allowing arbitrary file uploads. This is classified under CWE-284 (Improper Access Control / Permissions, Privileges, and Other Access-Related Information), indicating the root cause is insufficient authorization or validation logic. The attack requires prior authentication (PR:L per CVSS vector), suggesting the upload functionality is accessible only to authenticated users, though the insufficient validation means authenticated users can bypass intended upload restrictions.

RemediationAI

No vendor-released patch has been identified at time of analysis, as Metasoft did not respond to early disclosure. Organizations should implement compensating controls: (1) Restrict access to the mobileupload.jsp endpoint to trusted networks only using firewall or WAF rules; (2) Implement file type validation and Content-Type checks at the web server level (e.g., Apache or IIS) to block upload of executable file types (.jsp, .jspx, .war, .exe, .sh); (3) Store uploaded files outside the web root directory where they cannot be directly executed or accessed via HTTP requests; (4) Configure the application server to disable script execution in upload directories via directory-level permissions or web.xml restrictions; (5) Monitor the upload directory for unexpected file additions and review upload logs for suspicious activity. If an upgrade becomes available, apply it immediately after vendor release. Until then, the combination of network segmentation and upload directory hardening provides the strongest mitigation without requiring vendor cooperation.

CVE-2025-7879 vulnerability details – vuln.today

Back