Skip to main content

Wukong Crm

3 CVEs product

Monthly

CVE-2025-60828 MEDIUM POC This Month

Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).

Java Deserialization Wukong Crm
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-37181 CRITICAL POC Act Now

72crm 9.0 has an Arbitrary file upload vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Wukong Crm
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2022-37178 HIGH POC This Week

An issue was discovered in 72crm 9.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Wukong Crm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Unauthenticated fastjson deserialization in WukongCRM 9.0 (Java edition) via the /OaExamine/setOaExamine HTTP endpoint allows remote attackers to supply attacker-controlled class references that the Alibaba fastjson library instantiates at runtime, enabling arbitrary Java gadget-chain execution. A public proof-of-concept is available on GitHub, lowering the exploitation bar considerably. While the assigned CVSS scores impact conservatively at I:L/A:L with no confidentiality loss, this is inconsistent with the well-documented RCE potential of fastjson deserialization gadget chains - the actual impact may be understated. No public exploit has been confirmed as actively exploited (not in CISA KEV).

Java Deserialization Wukong Crm
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

72crm 9.0 has an Arbitrary file upload vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Wukong Crm
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

An issue was discovered in 72crm 9.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Wukong Crm
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy