MEDIUM 6.3

CVE-2026-10205: Unrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation

Metasoft MetaCRM version 6.4.0 contains an unrestricted file upload vulnerability in its logo upload functionality. An authenticated attacker can upload arbitrary files to the server, potentially leading to code execution or system compromise. The vulnerability affects a JSP file handling logo uploads and requires valid user credentials to exploit. Public exploit code exists for this issue.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-284, CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in Metasoft 美特软件 MetaCRM 6.4.0. The impacted element is an unknown function of the file develop/systparam/softlogo/upload.jsp. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10205 is an unrestricted file upload vulnerability affecting Metasoft MetaCRM 6.4.0, specifically within the develop/systparam/softlogo/upload.jsp endpoint. The vulnerability stems from inadequate input validation and insufficient controls on file uploads (CWE-434), compounded by improper access control mechanisms (CWE-284). An authenticated user can bypass upload restrictions by submitting malicious files, which the server accepts without proper type verification or sandboxing. The remote, network-accessible nature of the endpoint combined with low attack complexity makes this a practical exploitation scenario. CVSS 3.1 score of 6.3 (Medium) reflects the authenticated requirement but acknowledges confidentiality, integrity, and availability impacts.

Business impact

Successful exploitation allows attackers with valid MetaCRM credentials to upload and potentially execute arbitrary code on affected systems. This creates pathways for lateral movement within environments, data theft, system defacement, or deployment of backdoors. Organizations using MetaCRM for customer relationship management face operational disruption and compliance implications if customer data is accessed or modified through this vector. The availability of public exploits significantly reduces the time-to-weaponization and increases organizational risk exposure.

Affected systems

Metasoft MetaCRM version 6.4.0 is directly affected. Users operating this version should assume their systems are at risk. Verify whether your deployment falls within this version range, as earlier or later versions may have different vulnerability status. Organizations should check with Metasoft for version-specific guidance, though the vendor has not provided a public response to this disclosure.

Exploitability

This vulnerability has moderate exploitability. Attack complexity is low—standard HTTP POST requests to the upload endpoint with crafted file payloads suffice. However, exploitation requires valid authentication credentials, meaning attackers must first obtain legitimate user access or compromise an existing account. The public disclosure of exploit details lowers barriers for opportunistic threat actors. Organizations with strong access controls and user monitoring may detect exploitation attempts; however, the authentication requirement may provide false confidence if internal account security is weak.

Remediation

Immediate action: Contact Metasoft to obtain a patched version of MetaCRM addressing this vulnerability. If an update is unavailable, implement compensating controls: restrict access to the upload endpoint via network segmentation, disable the logo upload feature if operationally feasible, enforce strict file type whitelisting and Content-Disposition headers to prevent execution of uploaded files, and implement robust logging on upload activities. Additionally, audit all MetaCRM user accounts to identify and revoke access for unused or suspicious accounts.

Patch guidance

Check Metasoft's official security advisories and product update channels for a patched version of MetaCRM 6.4.0. Vendors typically release security updates through their customer portal or official website. Verify patch version numbers against the vendor advisory before deployment. If Metasoft has not released a patch, maintain heightened monitoring and apply the compensating controls outlined in remediation guidance. Test patches in a non-production environment before rollout to ensure compatibility with your MetaCRM configuration and integrated systems.

Detection guidance

Monitor web application logs for suspicious POST requests to develop/systparam/softlogo/upload.jsp, particularly those uploading non-image file types. Track unusual file creation in upload directories, especially executable files (JSP, JAR, EXE) or archives. Correlate upload activity with user accounts and flag anomalies such as uploads from low-privilege users or outside business hours. Implement file integrity monitoring on upload directories to detect unauthorized additions. Web application firewalls can be tuned to block requests uploading files with suspicious MIME types or executable extensions to this endpoint.

Why prioritize this

Although CVSS 6.3 is rated Medium, prioritize this vulnerability for your environment based on: (1) public exploit availability reducing time-to-weaponization, (2) potential for code execution and lateral movement, (3) authentication requirement mitigating only if your internal access controls are strong, and (4) lack of vendor response indicating delayed patch availability. Assess the criticality of MetaCRM in your environment and the sensitivity of data it handles—if customer data is at stake, elevate prioritization accordingly.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects: network accessibility (AV:N) and low attack complexity (AC:L) warrant a higher base score; however, the requirement for valid user authentication (PR:L) limits the attack surface. Confidentiality, integrity, and availability are all impacted at a limited scope, placing the vulnerability in the Medium severity band. This scoring assumes a typical deployment; environments with weak access controls or high-value data may justify treating this as High priority operationally.

Frequently asked questions

Does this vulnerability require the attacker to be inside our network?

No. The vulnerability is remotely exploitable over the network. However, it does require valid MetaCRM user credentials—either obtained through credential theft, phishing, or insider access. An attacker cannot exploit this via an unauthenticated request.

What versions of MetaCRM are vulnerable?

CVE-2026-10205 specifically affects Metasoft MetaCRM version 6.4.0. Confirm your installed version and check with Metasoft to determine whether other versions (earlier or later) are similarly affected.

What should we do if we don't have a patch yet?

Implement the compensating controls detailed in the Remediation Guidance section: restrict network access to the upload endpoint, disable the feature if possible, enforce strict file type validation, and enhance monitoring of upload activity. Simultaneously, contact Metasoft for patch availability and expected timeline.

Can we detect if this vulnerability has been exploited in our environment?

Review web server logs for POST requests to develop/systparam/softlogo/upload.jsp with non-image file types, unusual file extensions, or oversized payloads. Check upload directories for unexpected executable files or archives created around the time of suspicious requests. Enable detailed application logging if it is not already configured.

This analysis is provided for informational purposes and reflects publicly disclosed vulnerability details as of the publication and modification dates listed. SEC.co does not endorse or provide exploit code. Organizations should verify all technical claims, patch availability, and version information directly with Metasoft and conduct independent testing before deploying mitigations. The CVSS score and severity are based on vendor-published metrics; organizational risk may differ based on deployment context, data sensitivity, and access controls. Always consult your security team and follow your organization's change management procedures before implementing patches or operational changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).