CVE-2025-7878 is a vulnerability identified in Metasoft 美特软件's MetaCRM product, specifically affecting versions up to 6.4.2. The vulnerability resides in an unspecified function within the /common/jsp/upload2.jsp file, where the 'File' argument can be manipulated to allow unrestricted file uploads. This flaw enables an attacker to remotely upload arbitrary files to the server without authentication or user interaction, potentially leading to unauthorized code execution or system compromise. The vulnerability has been publicly disclosed, and although the vendor was notified early, no response or patch has been provided. The CVSS v4.0 score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. The exploitability is enhanced by the lack of authentication and user interaction requirements, making it feasible for remote attackers to exploit. However, the impact is somewhat limited by the vector components indicating low confidentiality, integrity, and availability impacts, possibly due to partial mitigations or environment-specific factors. No known exploits are currently observed in the wild, but public disclosure increases the risk of exploitation. The vulnerability's root cause is the absence of proper validation or restrictions on file uploads, which is a common security weakness in web applications, potentially allowing attackers to upload web shells or malicious scripts to gain persistent access or pivot within the network.

For European organizations using MetaCRM versions up to 6.4.2, this vulnerability poses a significant risk of unauthorized access and potential system compromise. Attackers could leverage the unrestricted upload to deploy malicious payloads, such as web shells, ransomware, or data exfiltration tools. This could lead to confidentiality breaches involving sensitive customer or business data, integrity violations through unauthorized modifications, and availability disruptions if critical services are impacted. Given the CRM's role in managing customer relationships and sensitive business information, exploitation could result in reputational damage, regulatory non-compliance (e.g., GDPR violations), and financial losses. The medium CVSS score suggests that while the vulnerability is exploitable remotely without authentication, the overall impact might be mitigated by environmental factors or existing security controls. However, the lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls. European organizations with internet-facing MetaCRM instances are particularly at risk, especially those lacking robust web application firewalls or intrusion detection systems.

Since no official patch or vendor response is available, European organizations should implement immediate compensating controls. These include restricting access to the /common/jsp/upload2.jsp endpoint via network segmentation or firewall rules to limit exposure to trusted IPs only. Deploying a web application firewall (WAF) with custom rules to detect and block suspicious file upload attempts can reduce risk. Organizations should audit existing MetaCRM installations for unauthorized files or web shells and monitor logs for anomalous upload activity. Disabling or removing the vulnerable upload functionality, if feasible, can be a temporary measure. Additionally, applying strict input validation and file type restrictions at the application or proxy level can help prevent malicious uploads. Regular backups and incident response plans should be updated to prepare for potential exploitation. Finally, organizations should monitor threat intelligence feeds for any emerging exploits and be ready to apply patches promptly once the vendor releases them.