CVE-2025-7874
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-20

Last updated on: 2025-08-27

Assigner: VulDB

Description
A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /env.jsp. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-20
Last Modified
2025-08-27
Generated
2026-05-07
AI Q&A
2025-07-20
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7874
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
metasoft metacrm to 6.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-NVD-CWE-noinfo
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7874 is an information disclosure vulnerability in Metasoft MetaCRM up to version 6.4.2. It affects the /env.jsp endpoint, which is accessible without authentication and exposes sensitive server information such as server name, Java version, and absolute file paths. This improper authorization allows remote attackers to gather sensitive information without any credentials, potentially aiding further attacks. [1, 2]


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive server information, which compromises the confidentiality of your system. Attackers can remotely exploit this flaw without authentication to gather details about your server environment, potentially facilitating further attacks or system compromise. Since the vendor has not provided any fixes, the risk remains until mitigated by other means. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the /env.jsp endpoint is accessible without authentication and discloses sensitive server information such as server name, Java version, and absolute file paths. A simple way to detect this is by using HTTP request commands like: curl -i http://<target>/env.jsp or wget http://<target>/env.jsp to see if sensitive information is returned. Additionally, Google dorking with the query "inurl:env.jsp" can help identify vulnerable targets publicly accessible on the internet. [1, 2]


What immediate steps should I take to mitigate this vulnerability?

Immediate steps to mitigate this vulnerability include restricting or disabling access to the /env.jsp and /debug.jsp endpoints, implementing proper authentication and authorization controls on these endpoints, or removing/replacing the affected MetaCRM component/version (up to 6.4.2) since no official vendor fix or patch is available. Limiting exposure by network segmentation or firewall rules to block external access to these endpoints is also advised. [1, 2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart