CVE-2025-7874 is an information disclosure vulnerability identified in Metasoft 美特软件's MetaCRM product, specifically affecting versions 6.4.0 through 6.4.2. The vulnerability resides in an unspecified functionality within the /env.jsp file. This flaw allows an unauthenticated remote attacker to access sensitive information without requiring any user interaction or privileges. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (VC:L), with no impact on integrity or availability. The vulnerability is exploitable remotely and the exploit details have been publicly disclosed, although there are no confirmed reports of exploitation in the wild. The vendor has been contacted but has not responded or provided a patch, leaving affected users exposed. The lack of a patch and public exploit disclosure increases the risk of exploitation by threat actors seeking to gather sensitive information from vulnerable MetaCRM deployments.

For European organizations using MetaCRM versions 6.4.0 to 6.4.2, this vulnerability poses a significant risk of unauthorized information disclosure. The leaked information could include environment variables, configuration details, or other sensitive data accessible via the /env.jsp endpoint, potentially exposing credentials, internal network details, or other confidential business information. Such data exposure can facilitate further attacks such as lateral movement, privilege escalation, or targeted phishing campaigns. Given that MetaCRM is a customer relationship management system, the exposure of customer data or internal business intelligence could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations), and financial losses. The medium severity rating reflects that while the vulnerability does not directly impact system integrity or availability, the confidentiality breach alone can have serious consequences, especially in regulated industries or sectors handling sensitive personal data.

Since no official patch or vendor response is available, European organizations should implement compensating controls immediately. These include restricting network access to the MetaCRM application, especially the /env.jsp endpoint, by using web application firewalls (WAFs) or network segmentation to limit exposure to trusted internal users only. Conduct thorough audits of MetaCRM installations to identify affected versions and remove or disable the vulnerable /env.jsp file if feasible. Monitor logs for unusual access patterns targeting this endpoint. Employ strict access controls and ensure that sensitive configuration data is not stored or exposed in web-accessible files. Organizations should also consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts. Finally, maintain heightened vigilance for phishing or follow-on attacks that may leverage information obtained through this vulnerability.