CVE-2025-9140
published 2025-08-19CVE-2025-9140: A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.45%
35.8th percentile
A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+."
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 51mis | lingdang_crm | < 8.6.5.4 | 8.6.5.4 |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
| shanghai_lingdang_information_technology | lingdang_crm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandgetvaluestring=<SQLi payload> (time-based blind via GET and POST to /crm/crmapi/erp/tabdetail_moduleSave.php)↗
- →Monitor HTTP GET and POST requests to /crm/crmapi/erp/tabdetail_moduleSave.php for SQL injection patterns in the 'getvaluestring' parameter, particularly time-based blind SQLi payloads (e.g., SLEEP/WAITFOR DELAY). ↗
- →Inspect both GET and POST methods targeting the vulnerable endpoint, as the public exploit tests both HTTP methods for the 'getvaluestring' injection vector. ↗
- ·The vulnerability affects Lingdang CRM versions up to 8.6.4.7; version 8.6.5.4 contains the fix. Ensure patched instances are confirmed to be running 8.6.5+ before removing detection coverage. ↗
- ·The vendor's fix specifically uses parameterized queries and input sanitization; detections targeting the 'getvaluestring' parameter should remain active on unpatched instances (≤8.6.4.7). ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-08-19
Published