CVE-2025-9140 – This SQL injection vulnerability in Shanghai Li... (How to Fix)

Q: What is the severity of CVE-2025-9140?

CVE-2025-9140 has a CVSS score of 6.3 (MEDIUM). This SQL injection vulnerability in Shanghai Lingdang Information Technology's Lingdang CRM allows remote attackers to execute arbitrary SQL commands via the getvaluestring parameter in the /crm/crmapi/erp/tabdetail_moduleSave.php endpoint. Organizations using Lingdang CRM versions up to 8.6.4.7 are affected and could have their customer relationship management data compromised.

📋 TL;DR

This SQL injection vulnerability in Shanghai Lingdang Information Technology's Lingdang CRM allows remote attackers to execute arbitrary SQL commands via the getvaluestring parameter in the /crm/crmapi/erp/tabdetail_moduleSave.php endpoint. Organizations using Lingdang CRM versions up to 8.6.4.7 are affected and could have their customer relationship management data compromised.

💻 Affected Systems

Products:

Shanghai Lingdang Information Technology Lingdang CRM

Versions: Up to version 8.6.4.7

Operating Systems: All platforms running Lingdang CRM

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific PHP endpoint /crm/crmapi/erp/tabdetail_moduleSave.php with getvaluestring parameter manipulation.

📦 What is this software?

Lingdang Crm by 51mis

View all CVEs affecting Lingdang Crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or complete system takeover via SQL injection escalation techniques.

🟠

Likely Case

Unauthorized access to sensitive CRM data including customer information, business records, and potentially authentication credentials stored in the database.

🟢

If Mitigated

Limited impact with proper network segmentation, database permissions, and input validation at other layers.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing CRM systems directly.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access, reducing exposure compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID 52420), making this vulnerability easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.6.5.4 and later

Vendor Advisory: Not provided in CVE details

Restart Required: No

Instructions:

1. Backup CRM data and configuration. 2. Download version 8.6.5.4 or later from official vendor sources. 3. Follow vendor upgrade procedures. 4. Verify the patch by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting the specific endpoint and parameter.

WAF-specific configuration commands vary by vendor

Endpoint Blocking

web_server

Temporarily block access to /crm/crmapi/erp/tabdetail_moduleSave.php if not required for business operations.

# Apache: RewriteRule ^/crm/crmapi/erp/tabdetail_moduleSave\.php$ - [F]
# Nginx: location ~ /crm/crmapi/erp/tabdetail_moduleSave\.php$ { return 403; }

🧯 If You Can't Patch

Implement strict network segmentation to isolate the CRM system from sensitive networks and databases.
Deploy database monitoring and alerting for unusual SQL queries originating from the CRM application.

🔍 How to Verify

Check if Vulnerable:

Check if the file /crm/crmapi/erp/tabdetail_moduleSave.php exists and test for SQL injection using safe testing methods or review application logs for injection attempts.

Check Version:

Check CRM admin panel or configuration files for version information, typically found in admin interface or /version.php endpoint.

Verify Fix Applied:

After upgrading to 8.6.5.4+, test the vulnerable endpoint with SQL injection payloads to confirm they are properly sanitized and rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs from CRM application
Multiple failed login attempts or parameter manipulation in web server logs for the specific endpoint
GET/POST requests to /crm/crmapi/erp/tabdetail_moduleSave.php with SQL keywords in parameters

Network Indicators:

Unusual outbound database connections from web servers
Traffic patterns showing SQL error messages in HTTP responses

SIEM Query:

source="web_logs" AND (url_path="/crm/crmapi/erp/tabdetail_moduleSave.php" AND (param="getvaluestring" AND value MATCH "('|\"|OR|UNION|SELECT)"))

📊 Metadata

CVE ID: CVE-2025-9140

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.07% exploit probability (21.9th percentile)

Published: August 19, 2025

Last Updated: August 28, 2025

🔗 References

https://vuldb.com/?ctiid.320520 Permissions Required,VDB Entry
https://vuldb.com/?id.320520 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.628087 Third Party Advisory,VDB Entry
https://www.notion.so/SQL2-2459bb66b0a5802ba8e9ca5bc775fc7d?source=copy_link Broken Link
https://www.exploit-db.com/exploits/52420

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9140, you might also want to check these: