CVE-2025-9140 Overview
CVE-2025-9140 is a SQL injection vulnerability in Shanghai Lingdang Information Technology Lingdang CRM versions up to 8.6.4.7. The flaw resides in the /crm/crmapi/erp/tabdetail_moduleSave.php endpoint, where the getvaluestring parameter is concatenated into a SQL query without proper sanitization. An authenticated remote attacker can manipulate the parameter to inject arbitrary SQL statements. The vendor released version 8.6.5.4, which addresses the issue using parameterized queries and input sanitization. A public exploit is referenced in Exploit-DB entry 52420, increasing the likelihood of opportunistic abuse against unpatched deployments.
Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the backend database, leading to unauthorized data read, modification, or limited tampering of CRM records.
Affected Products
- Shanghai Lingdang Information Technology Lingdang CRM versions up to and including 8.6.4.7
- 51mis:lingdang_crm component as identified in NVD CPE data
- Deployments exposing /crm/crmapi/erp/tabdetail_moduleSave.php to authenticated users
Discovery Timeline
- 2025-08-19 - CVE-2025-9140 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-9140
Vulnerability Analysis
The vulnerability is classified under [CWE-89] SQL Injection and [CWE-74] Improper Neutralization of Special Elements in Output. The affected script tabdetail_moduleSave.php processes the getvaluestring request parameter and incorporates the value directly into a SQL statement. Because the application does not enforce parameterized queries or escape user-controlled characters, an attacker supplying SQL metacharacters can alter the structure of the query. Successful exploitation allows the attacker to extract CRM data such as customer records, sales pipeline information, and credential material stored in adjacent tables.
Root Cause
The root cause is unsafe string concatenation between user-supplied input and the SQL query executed by the backend. The vendor confirmed the fix in version 8.6.5+ involved replacing the vulnerable code paths with parameterized queries and adding input sanitization. The absence of these controls in earlier builds permits direct injection through the getvaluestring argument.
Attack Vector
Exploitation requires network access to the CRM web application and low-privilege authenticated access, as reflected by the CVSS 4.0 vector (PR:L). An attacker submits a crafted HTTP request targeting /crm/crmapi/erp/tabdetail_moduleSave.php with malicious SQL payloads inserted into the getvaluestring parameter. Because the exploit is documented in Exploit-DB #52420, reproduction is trivial for adversaries who obtain valid credentials, including through phishing or credential reuse.
No verified proof-of-concept code is published in this advisory. Refer to the VulDB report for additional technical context on the injection technique.
Detection Methods for CVE-2025-9140
Indicators of Compromise
- HTTP POST requests to /crm/crmapi/erp/tabdetail_moduleSave.php containing SQL metacharacters such as ', --, UNION, or SLEEP( in the getvaluestring parameter
- Unexpected database errors or stack traces returned to authenticated CRM sessions
- Anomalous read volumes from CRM database accounts, particularly bulk SELECT activity outside business hours
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect parameters submitted to tabdetail_moduleSave.php for SQL injection signatures
- Enable database audit logging to record queries originating from the CRM service account and alert on queries referencing system catalogs (information_schema, mysql.user)
- Correlate authentication events with subsequent HTTP requests to the vulnerable endpoint to identify low-privilege accounts probing the parameter
Monitoring Recommendations
- Forward CRM web server access logs and database audit logs to a centralized SIEM for retention and correlation
- Baseline normal usage of the tabdetail_moduleSave.php endpoint and alert on payload length or character class deviations
- Track outbound connections from the CRM host to detect data exfiltration following suspected injection activity
How to Mitigate CVE-2025-9140
Immediate Actions Required
- Upgrade Lingdang CRM to version 8.6.5.4 or later, where the vendor applied parameterized queries and input sanitization
- Restrict network access to the CRM administrative endpoints using IP allow-listing or VPN gateways
- Rotate credentials for any CRM user accounts that may have been exposed if exploitation is suspected
Patch Information
The vendor states that all SQL injection vectors were remediated in version 8.6.5+ through parameterized queries and input sanitization. Administrators should plan an upgrade to 8.6.5.4 or the latest available build. Patch validation should include verifying that requests with SQL metacharacters in getvaluestring are rejected or safely escaped.
Workarounds
- Apply WAF virtual patching rules that block SQL injection patterns on the getvaluestring parameter until the upgrade is performed
- Limit CRM application database accounts to the minimum privileges needed, removing rights to system tables and write access where feasible
- Disable or restrict access to /crm/crmapi/erp/tabdetail_moduleSave.php for accounts that do not require module-save functionality
# Example WAF rule (ModSecurity) to block SQLi patterns on the vulnerable parameter
SecRule ARGS:getvaluestring "@rx (?i)(union(.*?)select|sleep\(|--|';|/\*)" \
"id:920140,phase:2,deny,status:403,log,msg:'CVE-2025-9140 Lingdang CRM SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

