PatchSiren cyber security CVE debrief
CVE-2026-10205 Metasoft 美特软件 CVE debrief
A remote unrestricted file upload vulnerability exists in Metasoft MetaCRM 6.4.0, specifically in the develop/systparam/softlogo/upload.jsp endpoint. The vulnerability allows authenticated remote attackers to upload arbitrary files. The CVSS 4.0 base score is 2.1 (LOW severity), with the vector indicating network attack vector, low attack complexity, no attack requirements, and low privileges required (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L). The exploit has been publicly disclosed and is reported as being used in the wild (E:P). The vendor was contacted but did not respond. The CNA-assigned weaknesses are CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The vendor attribution is uncertain: the source domain evidence points to Feishu as a reference domain candidate, and the vendor is listed as Unknown Vendor with low confidence, requiring review.
- Vendor
- Metasoft 美特软件
- Product
- MetaCRM
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations running Metasoft MetaCRM 6.4.0; security teams managing CRM application security; incident response teams monitoring for web application exploitation; network defenders responsible for restricting access to unpatched vendor software.
Technical summary
The vulnerability is an unrestricted file upload in the develop/systparam/softlogo/upload.jsp component of Metasoft MetaCRM 6.4.0. Attackers with low privileges can remotely upload arbitrary files. The CVSS 4.0 score of 2.1 reflects limited confidentiality, integrity, and availability impacts under the assessed vector. The exploit has been publicly disclosed and is marked as proof-of-concept or used in the wild (E:P). Vendor response was not obtained.
Defensive priority
medium
Recommended defensive actions
- Restrict network access to the MetaCRM 6.4.0 application, particularly the /develop/systparam/softlogo/upload.jsp endpoint, to trusted source IP ranges until a patch is available.
- Implement strict server-side file upload validation including allowlisting of permitted file extensions, content-type verification, and file content inspection to mitigate unrestricted upload risks.
- Apply principle of least privilege to accounts with access to the upload functionality referenced in the vulnerability.
- Monitor for unauthorized file uploads or unexpected file types in the upload.jsp directory and associated web-accessible paths.
- Contact Metasoft vendor support directly to request security patch status for MetaCRM 6.4.0, as the vendor did not respond to initial disclosure.
- Review web server and application logs for historical exploitation indicators, given public exploit availability.
Evidence notes
The vulnerability description and CVSS vector are sourced from NVD/VulDB CNA data. The affected file path (develop/systparam/softlogo/upload.jsp) and product version (MetaCRM 6.4.0) come from the CNA description. Vendor attribution is weak: the reference domain candidate is Feishu (ucn9h68n9289.feishu.cn), but the vendor field shows Unknown Vendor with low confidence and needsReview=true. The exploit availability (E:P) is derived from the CVSS 4.0 vector. No KEV entry exists.
Official resources
Public disclosure occurred on 2026-06-01 with exploit details published. The vendor was contacted prior to disclosure but did not respond.