CVE-2025-7874 is an information disclosure vulnerability identified in Metasoft 美特软件's MetaCRM product, specifically affecting versions up to 6.4.2. The vulnerability resides in an unspecified functionality within the /env.jsp file. This file likely handles environment or configuration-related data. The flaw allows an unauthenticated remote attacker to manipulate the vulnerable endpoint to disclose sensitive information. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector details reveal that the attack requires no privileges, no user interaction, and can be performed remotely over the network with low attack complexity. The impact is limited to confidentiality, with no effect on integrity or availability. The vendor was notified early but has not responded or issued a patch, and no known exploits are currently observed in the wild. The public disclosure of the exploit increases the risk of exploitation by threat actors. Given the nature of CRM systems, the information disclosed could include sensitive business or customer data, environment variables, or configuration details that could facilitate further attacks or data breaches.

For European organizations using MetaCRM versions 6.4.0 through 6.4.2, this vulnerability poses a risk of unauthorized exposure of sensitive internal information. Such information disclosure can lead to loss of confidentiality, potentially exposing customer data, business logic, or system configuration details. This exposure could facilitate subsequent targeted attacks such as privilege escalation, lateral movement, or data exfiltration. Since CRM systems often contain personal data protected under GDPR, unauthorized disclosure could result in regulatory non-compliance, financial penalties, and reputational damage. The remote and unauthenticated nature of the exploit increases the risk of opportunistic attacks, especially if the affected MetaCRM instances are internet-facing. The lack of a vendor patch and public exploit availability further heightens the urgency for European organizations to implement mitigations promptly.

European organizations should immediately audit their MetaCRM deployments to identify affected versions (6.4.0 to 6.4.2). If possible, isolate or restrict access to the /env.jsp endpoint using network-level controls such as firewalls or web application firewalls (WAFs) to block unauthorized external access. Implement strict access controls and IP whitelisting for administrative interfaces. Monitor web server logs for suspicious requests targeting /env.jsp or unusual information disclosure patterns. If upgrading to a patched version is not possible due to vendor unresponsiveness, consider deploying custom rules in WAFs to detect and block exploit attempts. Additionally, conduct a thorough review of exposed data to assess potential leakage impact and notify affected stakeholders as required by GDPR. Organizations should also prepare incident response plans for potential exploitation and maintain heightened monitoring for related threat activity.