CVE-2025-7875 is a vulnerability identified in Metasoft 美特软件's MetaCRM product, specifically affecting versions up to 6.4.2. The vulnerability arises from improper authentication controls related to the /debug.jsp file, which is part of the web application. This flaw allows an attacker to bypass authentication mechanisms remotely without requiring any privileges or user interaction. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 6.9, reflecting a network attack vector with low complexity and no need for authentication or user interaction. The impact on confidentiality, integrity, and availability is rated as low, indicating that while the attacker can bypass authentication, the scope of damage or data exposure is somewhat limited. The vendor has been contacted but has not responded or issued a patch, and no known exploits have been observed in the wild yet. The vulnerability disclosure is public, which increases the risk of exploitation by threat actors. The improper authentication on a debug interface suggests that sensitive diagnostic or administrative functions could be accessed by unauthorized users, potentially leading to unauthorized data access or manipulation within the CRM system. Given the nature of CRM systems, which often store customer and business data, this vulnerability could be leveraged for reconnaissance or lateral movement within affected networks.

For European organizations using MetaCRM versions up to 6.4.2, this vulnerability poses a risk of unauthorized access to CRM functionalities or data without requiring credentials. This could lead to exposure of sensitive customer information, business contacts, or internal communications, potentially violating GDPR and other data protection regulations. The unauthorized access could also allow attackers to manipulate CRM data, impacting data integrity and business operations. While the CVSS score indicates a medium severity, the lack of vendor response and patch availability increases the risk profile. European companies relying on MetaCRM for customer relationship management may face reputational damage, regulatory fines, and operational disruptions if exploited. The remote attack vector and no requirement for user interaction make it feasible for attackers to scan and exploit vulnerable instances over the internet, especially if the /debug.jsp endpoint is exposed externally.

1. Immediate mitigation should include restricting access to the /debug.jsp endpoint at the network perimeter using firewalls or web application firewalls (WAFs) to limit exposure to trusted internal IP addresses only. 2. Conduct an internal audit to identify all instances of MetaCRM and verify if they are running vulnerable versions. 3. Disable or remove the /debug.jsp file or debug functionality if it is not essential for production environments. 4. Implement strict access controls and authentication mechanisms around any debug or administrative interfaces. 5. Monitor logs for any unusual access attempts to /debug.jsp or other administrative endpoints. 6. Engage with Metasoft for updates or patches and subscribe to vulnerability advisories for future fixes. 7. As a longer-term measure, consider migrating to a CRM solution with active vendor support and timely security updates. 8. Ensure that all CRM data is backed up securely and that incident response plans are updated to address potential exploitation scenarios related to this vulnerability.