Is there a public PoC exploit available for CVE-2025-7880?

Yes, a public proof-of-concept exploit is available for CVE-2025-7880. Prioritise patching immediately. EPSS: 0.1%.

Metasoft MetaCRM CVE-2025-7880

Q: What is the CVSS score of CVE-2025-7880?

CVE-2025-7880 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Improper Access Control (CWE-284)

2025-07-20 cna@vuldb.com

Authentication Bypass File Upload Metacrm

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:23 vuln.today

DescriptionCVE.org

A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2 and classified as critical. Affected by this issue is some unknown functionality of the file /business/common/sms/sendsms.jsp. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitrary files via the File parameter in /business/common/sms/sendsms.jsp, potentially leading to remote code execution or data compromise. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited confidentiality impact, but publicly available exploit code exists and the vendor has not responded to early disclosure.

Technical ContextAI

The vulnerability exists in the SMS sending functionality of MetaCRM, specifically in the sendsms.jsp file which handles file uploads for SMS campaigns. The issue stems from improper input validation on the File parameter, allowing attackers to bypass file upload restrictions. CWE-284 (Improper Access Control) indicates a failure to properly restrict or validate file uploads based on user permissions and file type constraints. This is a classic file upload vulnerability where the application fails to enforce adequate controls on what files can be uploaded or where they can be stored.

RemediationAI

Upgrade Metasoft MetaCRM to a version newer than 6.4.2 if available from the vendor. However, given the vendor's non-responsiveness to the early disclosure, security patches may not be forthcoming. As compensating controls, implement strict file upload validation by enforcing file type whitelisting (allow only expected document formats such as PDF or CSV), implement file extension verification with Content-Type header validation, store uploaded files outside the web-accessible directory tree to prevent direct execution, and apply strict access controls to the /business/common/sms/sendsms.jsp endpoint to limit access only to authorized SMS administrators. Additionally, configure the application server to disable execution of script files (JSP, PHP, etc.) in the upload directory via .htaccess or web server configuration. Monitor uploads for suspicious content and implement antivirus scanning on uploaded files before persistence.

CVE-2025-7880 vulnerability details – vuln.today

Back