CVE-2025-7878 is a vulnerability identified in Metasoft 美特软件's MetaCRM product, specifically affecting versions up to 6.4.2. The flaw resides in an unspecified function within the /common/jsp/upload2.jsp file, where the 'File' argument can be manipulated to allow unrestricted file uploads. This vulnerability enables an attacker to remotely upload arbitrary files to the server without authentication or user interaction. The unrestricted upload capability can be exploited to place malicious files such as web shells or malware, potentially leading to remote code execution, data compromise, or further system compromise. Although the CVSS v4.0 score is 5.3 (medium severity), the vulnerability's nature—unrestricted file upload—typically poses significant risks. The vendor was notified but did not respond or provide a patch, and no known exploits have been observed in the wild yet. The vulnerability's attack vector is network-based with low attack complexity and no privileges or user interaction required, but with limited confidentiality, integrity, and availability impact as per the CVSS vector. The public disclosure of the exploit increases the risk of exploitation by threat actors.

For European organizations using MetaCRM versions up to 6.4.2, this vulnerability presents a tangible risk of unauthorized system compromise. Attackers could upload malicious payloads to CRM servers, potentially leading to unauthorized access to sensitive customer data, disruption of CRM services, or lateral movement within corporate networks. Given that CRM systems often contain critical business and customer information, exploitation could result in data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and operational downtime. The medium CVSS score suggests moderate impact, but the unrestricted upload vector could be leveraged in targeted attacks, especially if the CRM is internet-facing or insufficiently segmented. The lack of vendor response and patch availability increases exposure time, raising the urgency for organizations to implement compensating controls. European entities with high reliance on MetaCRM for customer relationship management and those in regulated industries (finance, healthcare, telecommunications) are particularly at risk.

Since no official patch or vendor response is available, European organizations should implement immediate compensating controls: 1) Restrict access to the /common/jsp/upload2.jsp endpoint via network segmentation, firewall rules, or web application firewalls (WAF) to limit exposure to trusted internal IPs only. 2) Employ strict input validation and file type restrictions at the web server or proxy level to block potentially malicious file uploads. 3) Monitor server logs and network traffic for unusual upload activity or access patterns targeting the vulnerable endpoint. 4) Conduct regular integrity checks on uploaded files and scan for web shells or malware. 5) If possible, disable or restrict the upload functionality temporarily until a patch is available. 6) Implement strong authentication and authorization controls around the CRM system to reduce the attack surface. 7) Prepare incident response plans specific to web shell or malware infections. 8) Stay alert for vendor updates or community patches and apply them promptly once available.