Skip to main content
CVE Vulnerability Database

CVE-2025-9140: 51mis Lingdang CRM SQLi Vulnerability

CVE-2025-9140 is a SQL injection vulnerability in 51mis Lingdang CRM that allows remote attackers to manipulate database queries. This article covers the technical details, affected versions up to 8.6.4.7, and mitigation.

Published:

CVE-2025-9140 Overview

CVE-2025-9140 is a SQL injection vulnerability in Shanghai Lingdang Information Technology Lingdang CRM versions up to 8.6.4.7. The flaw resides in the /crm/crmapi/erp/tabdetail_moduleSave.php endpoint, where the getvaluestring parameter is concatenated into a SQL query without proper sanitization. An authenticated remote attacker can manipulate the parameter to inject arbitrary SQL statements. The vendor released version 8.6.5.4, which addresses the issue using parameterized queries and input sanitization. A public exploit is referenced in Exploit-DB entry 52420, increasing the likelihood of opportunistic abuse against unpatched deployments.

Critical Impact

Authenticated attackers can execute arbitrary SQL queries against the backend database, leading to unauthorized data read, modification, or limited tampering of CRM records.

Affected Products

  • Shanghai Lingdang Information Technology Lingdang CRM versions up to and including 8.6.4.7
  • 51mis:lingdang_crm component as identified in NVD CPE data
  • Deployments exposing /crm/crmapi/erp/tabdetail_moduleSave.php to authenticated users

Discovery Timeline

  • 2025-08-19 - CVE-2025-9140 published to NVD
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-9140

Vulnerability Analysis

The vulnerability is classified under [CWE-89] SQL Injection and [CWE-74] Improper Neutralization of Special Elements in Output. The affected script tabdetail_moduleSave.php processes the getvaluestring request parameter and incorporates the value directly into a SQL statement. Because the application does not enforce parameterized queries or escape user-controlled characters, an attacker supplying SQL metacharacters can alter the structure of the query. Successful exploitation allows the attacker to extract CRM data such as customer records, sales pipeline information, and credential material stored in adjacent tables.

Root Cause

The root cause is unsafe string concatenation between user-supplied input and the SQL query executed by the backend. The vendor confirmed the fix in version 8.6.5+ involved replacing the vulnerable code paths with parameterized queries and adding input sanitization. The absence of these controls in earlier builds permits direct injection through the getvaluestring argument.

Attack Vector

Exploitation requires network access to the CRM web application and low-privilege authenticated access, as reflected by the CVSS 4.0 vector (PR:L). An attacker submits a crafted HTTP request targeting /crm/crmapi/erp/tabdetail_moduleSave.php with malicious SQL payloads inserted into the getvaluestring parameter. Because the exploit is documented in Exploit-DB #52420, reproduction is trivial for adversaries who obtain valid credentials, including through phishing or credential reuse.

No verified proof-of-concept code is published in this advisory. Refer to the VulDB report for additional technical context on the injection technique.

Detection Methods for CVE-2025-9140

Indicators of Compromise

  • HTTP POST requests to /crm/crmapi/erp/tabdetail_moduleSave.php containing SQL metacharacters such as ', --, UNION, or SLEEP( in the getvaluestring parameter
  • Unexpected database errors or stack traces returned to authenticated CRM sessions
  • Anomalous read volumes from CRM database accounts, particularly bulk SELECT activity outside business hours

Detection Strategies

  • Deploy web application firewall (WAF) rules that inspect parameters submitted to tabdetail_moduleSave.php for SQL injection signatures
  • Enable database audit logging to record queries originating from the CRM service account and alert on queries referencing system catalogs (information_schema, mysql.user)
  • Correlate authentication events with subsequent HTTP requests to the vulnerable endpoint to identify low-privilege accounts probing the parameter

Monitoring Recommendations

  • Forward CRM web server access logs and database audit logs to a centralized SIEM for retention and correlation
  • Baseline normal usage of the tabdetail_moduleSave.php endpoint and alert on payload length or character class deviations
  • Track outbound connections from the CRM host to detect data exfiltration following suspected injection activity

How to Mitigate CVE-2025-9140

Immediate Actions Required

  • Upgrade Lingdang CRM to version 8.6.5.4 or later, where the vendor applied parameterized queries and input sanitization
  • Restrict network access to the CRM administrative endpoints using IP allow-listing or VPN gateways
  • Rotate credentials for any CRM user accounts that may have been exposed if exploitation is suspected

Patch Information

The vendor states that all SQL injection vectors were remediated in version 8.6.5+ through parameterized queries and input sanitization. Administrators should plan an upgrade to 8.6.5.4 or the latest available build. Patch validation should include verifying that requests with SQL metacharacters in getvaluestring are rejected or safely escaped.

Workarounds

  • Apply WAF virtual patching rules that block SQL injection patterns on the getvaluestring parameter until the upgrade is performed
  • Limit CRM application database accounts to the minimum privileges needed, removing rights to system tables and write access where feasible
  • Disable or restrict access to /crm/crmapi/erp/tabdetail_moduleSave.php for accounts that do not require module-save functionality
bash
# Example WAF rule (ModSecurity) to block SQLi patterns on the vulnerable parameter
SecRule ARGS:getvaluestring "@rx (?i)(union(.*?)select|sleep\(|--|';|/\*)" \
    "id:920140,phase:2,deny,status:403,log,msg:'CVE-2025-9140 Lingdang CRM SQLi attempt'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.