CVE-2025-6106

A cross-site request forgery (CSRF) vulnerability exists in WukongCRM 9.0, specifically in the AdminRoleController.java file. The /system/role/relatedUser endpoint fails to verify the authenticity of incoming requests, allowing an attacker to forge requests that are executed with the privileges of an authenticated administrator [1]. The root cause is the absence of CSRF protection mechanisms, such as anti-CSRF tokens or origin validation.

To exploit this vulnerability, an attacker must trick a logged-in administrator into submitting a crafted request, for example by clicking a malicious link or submitting a hidden form. The attack can be launched remotely, and no additional authentication is required beyond the victim's active session. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].

Successful exploitation enables an attacker to modify user permissions without the administrator's knowledge or consent. This includes granting administrator privileges to regular users, leading to privilege escalation, unauthorized account access, and potential data manipulation or leakage. The impact is significant as it undermines the role-based access control of the CRM system [1].

As of the publication date, the vendor has not responded to the disclosure, and no official patch or fix has been released. Users of WukongCRM 9.0 are advised to implement additional CSRF protections, such as custom tokens or same-site cookie attributes, and to monitor for suspicious activity. Until a patch is available, limiting exposure by restricting network access to the admin interface may serve as a temporary workaround.