CVE-2025-0463

CVE-2025-0463 is a critical vulnerability in Shanghai Lingdang Information Technology's Lingdang CRM software, affecting versions up to 8.6.0.0. The issue resides in an unknown function within the file /crm/weixinmp/index.php?userid=123&module=Users&usid=1&action=UsersAjax&minipro_const_type=1&related_module=Singin, where manipulation of the "name" argument enables unrestricted file upload. This flaw is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type), carrying a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was publicly disclosed on January 14, 2025.

Attackers can exploit this vulnerability remotely with low-privilege access (PR:L), requiring no user interaction and low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), primarily through uploading arbitrary files, which could facilitate further compromise depending on server permissions and file handling.

VulDB advisories detail the issue and note that an exploit has been publicly disclosed, including a proof-of-concept document on GitHub, making it readily usable. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available in the referenced sources. Security practitioners should restrict access to the affected endpoint and monitor for anomalous uploads.