Skip to main content
CVE Vulnerability Database

CVE-2025-7801: BossSoft CRM 6.0 SQL Injection Vulnerability

CVE-2025-7801 is a critical SQL injection vulnerability in BossSoft CRM 6.0 affecting the HNDCBas_customPrmSearchDtl.jsp file. Attackers can exploit this remotely via the cstid parameter. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-7801 Overview

CVE-2025-7801 is a SQL injection vulnerability in BossSoft CRM 6.0. The flaw resides in the /crm/module/HNDCBas_customPrmSearchDtl.jsp endpoint, where the cstid parameter is passed directly to a backend database query without proper sanitization. Remote attackers can manipulate this parameter to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the risk of opportunistic exploitation against exposed instances. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact

Unauthenticated remote attackers can inject SQL commands through the cstid parameter, potentially exposing customer relationship management data stored in the backend database.

Affected Products

  • BossSoft CRM 6.0
  • Component: /crm/module/HNDCBas_customPrmSearchDtl.jsp
  • Parameter: cstid

Discovery Timeline

  • 2025-07-18 - CVE-2025-7801 published to the National Vulnerability Database (NVD)
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-7801

Vulnerability Analysis

The vulnerability exists in the JSP page HNDCBas_customPrmSearchDtl.jsp, which handles customer parameter search detail lookups in BossSoft CRM 6.0. The cstid request parameter is concatenated into a SQL statement without parameterization or input validation. Attackers supplying crafted values for cstid can break out of the intended query context and append additional SQL clauses. The EPSS score is 0.174% (38.4 percentile), indicating modest but non-trivial exploitation probability across the threat landscape.

Because the affected endpoint is reachable over the network and requires no authentication or user interaction, exploitation can be automated against any internet-facing BossSoft CRM 6.0 deployment. Successful injection can lead to disclosure of CRM records, modification of stored data, or enumeration of the underlying database schema.

Root Cause

The root cause is improper neutralization of user-controlled input embedded into a dynamic SQL query. The cstid parameter is not validated against an expected data type or sanitized before being used in query construction. Use of prepared statements with bound parameters would prevent this class of issue.

Attack Vector

The attack vector is network-based. An attacker sends an HTTP request to the vulnerable JSP endpoint with a manipulated cstid value containing SQL metacharacters and injected clauses. The application server passes the tainted string to the database, which executes the attacker-controlled SQL. No credentials are required, and the request can be issued directly with any HTTP client.

No verified proof-of-concept code is available in trusted repositories. Technical details have been published through the GitHub CVE Issue and the VulDB entry #316867.

Detection Methods for CVE-2025-7801

Indicators of Compromise

  • HTTP requests to /crm/module/HNDCBas_customPrmSearchDtl.jsp containing SQL metacharacters such as ', --, UNION, SELECT, or OR 1=1 in the cstid parameter.
  • Anomalous database query patterns originating from the CRM application service account, including queries against information_schema or system tables.
  • Unusual response sizes or HTTP 500 errors from the affected endpoint during reconnaissance attempts.

Detection Strategies

  • Inspect web server and application logs for requests to HNDCBas_customPrmSearchDtl.jsp with non-numeric or oversized cstid values.
  • Deploy a web application firewall (WAF) rule set that flags SQL injection signatures targeting JSP endpoints.
  • Enable database audit logging to record queries issued by the CRM application and correlate them with web request timestamps.

Monitoring Recommendations

  • Alert on high-frequency requests to the affected endpoint from a single source address, indicating automated scanning or exploitation.
  • Monitor for outbound data transfers from the CRM database host that deviate from baseline volumes.
  • Track newly created or modified database accounts and stored procedures following any suspicious request burst.

How to Mitigate CVE-2025-7801

Immediate Actions Required

  • Restrict network access to the BossSoft CRM 6.0 application to trusted internal networks or VPN clients until a vendor patch is applied.
  • Place a WAF in front of the application with rules blocking SQL injection patterns on the cstid parameter.
  • Review database and web server logs for evidence of prior exploitation attempts against HNDCBas_customPrmSearchDtl.jsp.

Patch Information

No vendor advisory or official patch from BossSoft has been published in the references available at disclosure time. Operators should contact the vendor directly for remediation guidance and monitor the VulDB entry #316867 for updates.

Workarounds

  • Implement input validation at a reverse proxy or WAF layer to reject any cstid value that is not a strictly numeric identifier.
  • Apply the principle of least privilege to the database account used by the CRM application, removing rights to system tables and write access where not strictly required.
  • Disable or block public access to the /crm/module/HNDCBas_customPrmSearchDtl.jsp endpoint if it is not required for business operations.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.