Skip to main content

CVE-2025-6106: Cross-Site Request Forgery in WuKongOpenSource WukongCRM

Medium
VulnerabilityCVE-2025-6106cvecve-2025-6106
Published: Mon Jun 16 2025 (06/16/2025, 04:31:04 UTC)
Source: CVE Database V5
Vendor/Project: WuKongOpenSource
Product: WukongCRM

Description

A vulnerability was found in WuKongOpenSource WukongCRM 9.0 and classified as problematic. This issue affects some unknown processing of the file AdminRoleController.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI-Powered Analysis

AILast updated: 06/16/2025, 05:04:32 UTC

Technical Analysis

CVE-2025-6106 is a Cross-Site Request Forgery (CSRF) vulnerability identified in WuKongOpenSource's WukongCRM version 9.0. The vulnerability arises from improper handling of requests in the AdminRoleController.java file, which is part of the administrative role management functionality within the CRM system. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted actions to a web application in which they are currently authenticated. In this case, the attacker can remotely initiate requests that manipulate administrative roles without the user's consent or knowledge. The vulnerability requires no prior authentication and no privileges, but it does require user interaction (e.g., clicking a malicious link or visiting a crafted webpage). The CVSS 4.0 base score is 5.3, indicating a medium severity level. The vector details show that the attack is network exploitable (AV:N), requires low attack complexity (AC:L), no privileges (PR:N), but does require user interaction (UI:P). The impact on confidentiality is none, integrity is low (some unauthorized changes possible), and availability is none. The vendor has been contacted but has not responded or provided a patch, and no known exploits are currently observed in the wild. Given the administrative nature of the affected controller, successful exploitation could lead to unauthorized changes in user roles or permissions, potentially escalating privileges or disrupting administrative controls within the CRM system.

Potential Impact

For European organizations using WukongCRM 9.0, this vulnerability poses a risk of unauthorized administrative actions being performed without the knowledge of legitimate users. Since WukongCRM is a customer relationship management platform, unauthorized role modifications could lead to privilege escalation, unauthorized data access, or disruption of CRM operations. This could impact data integrity and operational continuity, especially for organizations relying heavily on CRM for customer data management, sales, and support workflows. While confidentiality impact is rated none, integrity impact is low but significant in administrative contexts. The requirement for user interaction means phishing or social engineering campaigns could be used to exploit this vulnerability. The lack of vendor response and absence of patches increases the risk exposure duration. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance risks if unauthorized changes lead to data misuse or breaches. The medium severity rating suggests a moderate but non-critical threat, yet the administrative context elevates its importance for organizations with sensitive CRM data.

Mitigation Recommendations

Implement strict Content Security Policy (CSP) headers to reduce the risk of malicious cross-site requests. Use anti-CSRF tokens in all state-changing requests within the WukongCRM application, especially in administrative controllers. Restrict access to the AdminRoleController endpoints by IP whitelisting or VPN access to limit exposure to trusted networks. Educate users, especially administrators, about the risks of phishing and social engineering attacks that could trigger CSRF exploits. Deploy web application firewalls (WAF) with custom rules to detect and block suspicious CSRF attack patterns targeting WukongCRM. Monitor logs for unusual administrative role changes or access patterns to detect potential exploitation attempts early. If possible, isolate the WukongCRM administrative interface behind additional authentication layers such as multi-factor authentication (MFA) or client certificates. Consider temporary disabling or restricting administrative role management features until a vendor patch or official fix is available. Engage with the vendor or community to request timely patches or mitigations and track updates for WukongCRM. Perform regular security assessments and penetration testing focused on CSRF and related web vulnerabilities in the CRM environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-06-15T09:45:24.215Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 684fa251a8c921274383935c

Added to database: 6/16/2025, 4:49:21 AM

Last enriched: 6/16/2025, 5:04:32 AM

Last updated: 8/11/2025, 5:22:57 PM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats