CVE-2025-7877 is a vulnerability identified in Metasoft 美特软件 MetaCRM versions up to 6.4.2. The issue resides in the file sendfile.jsp, where improper handling of the 'File' argument allows an attacker to perform an unrestricted file upload. This vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability's exploitation could allow an attacker to upload arbitrary files, potentially leading to remote code execution, data compromise, or system takeover depending on the server configuration and the nature of the uploaded files. Despite being classified as critical by the initial report, the official CVSS 4.0 score is 5.3 (medium severity), reflecting some mitigating factors such as limited scope and the requirement for low privileges (PR:L). The vendor has not responded to the disclosure, and no patches or mitigations have been officially released. No known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation attempts. The vulnerability affects the MetaCRM product, a customer relationship management system, which is likely used in enterprise environments for managing customer data and business processes. The unrestricted upload flaw in a web-accessible JSP file is a significant risk vector, as it can be leveraged to bypass security controls and deploy malicious payloads on the server.

For European organizations using MetaCRM, this vulnerability poses a risk to confidentiality, integrity, and availability of their CRM systems and associated data. Successful exploitation could lead to unauthorized access to sensitive customer information, disruption of business operations, and potential lateral movement within the corporate network. Given that CRM systems often contain personal data protected under GDPR, a breach could result in regulatory penalties and reputational damage. The medium CVSS score suggests some limitations in exploitability or impact, but the lack of vendor response and patches increases exposure. Organizations in sectors such as finance, retail, and services that rely on MetaCRM for customer management are particularly vulnerable. Additionally, the remote and unauthenticated nature of the attack vector means that attackers can attempt exploitation over the internet, increasing the threat surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks, especially as exploit code may be developed following public disclosure.

European organizations should immediately conduct an inventory to identify any deployments of MetaCRM versions 6.4.0 through 6.4.2. In the absence of official patches, organizations should consider the following mitigations: 1) Restrict access to the sendfile.jsp endpoint via network-level controls such as web application firewalls (WAFs) or IP whitelisting to limit exposure to trusted users only. 2) Implement strict input validation and file type restrictions at the web server or proxy level to prevent unauthorized file uploads. 3) Monitor web server logs for unusual file upload attempts or access patterns targeting sendfile.jsp. 4) Employ runtime application self-protection (RASP) tools if available to detect and block malicious upload attempts. 5) Isolate the MetaCRM server within a segmented network zone with minimal privileges to reduce lateral movement risk. 6) Prepare incident response plans for potential exploitation scenarios, including forensic readiness and data breach notification procedures. 7) Engage with Metasoft or third-party security providers for potential unofficial patches or workarounds. 8) Consider temporary suspension or replacement of MetaCRM if critical business processes can be maintained by alternative solutions until a patch is available.