CVE-2025-0463
Published: 14 January 2025
Summary
CVE-2025-0463 is a medium-severity Improper Access Control (CWE-284) vulnerability in 51Mis Lingdang Crm. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to block low-privileged users from accessing and manipulating the vulnerable endpoint handling the 'name' argument.
Validates the 'name' argument and uploaded file contents to prevent unrestricted upload of dangerous file types.
Restricts file types, sizes, and characteristics allowable for upload to the affected CRM endpoint, mitigating CWE-434 exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing web app directly enables remote exploitation (T1190) and deployment of web shells (T1505.003).
NVD Description
A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0. It has been classified as critical. Affected is an unknown function of the file /crm/weixinmp/index.php?userid=123&module=Users&usid=1&action=UsersAjax&minipro_const_type=1&related_module=Singin. The manipulation of the argument name leads to unrestricted upload. It…
more
is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-0463 is a critical vulnerability in Shanghai Lingdang Information Technology's Lingdang CRM software, affecting versions up to 8.6.0.0. The issue resides in an unknown function within the file /crm/weixinmp/index.php?userid=123&module=Users&usid=1&action=UsersAjax&minipro_const_type=1&related_module=Singin, where manipulation of the "name" argument enables unrestricted file upload. This flaw is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was publicly disclosed on January 14, 2025.
Attackers can exploit this vulnerability remotely with low-privilege access (PR:L), requiring no user interaction and low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), primarily through uploading arbitrary files, which could facilitate further compromise depending on server permissions and file handling.
VulDB advisories detail the issue and note that an exploit has been publicly disclosed, including a proof-of-concept document on GitHub, making it readily usable. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available in the referenced sources. Security practitioners should restrict access to the affected endpoint and monitor for anomalous uploads.
Details
- CWE(s)