Metasoft MetaCRM SQL Injection Vulnerability (CVE-2026-15514)
A critical SQL injection vulnerability (CVE-2026-15514) in Metasoft MetaCRM up to version 6.4.0 Beta06 allows remote attackers to exploit the RPCService.query function via the phprpc_args argument in /customizemt/xkq/rpc.jsp, leading to unauthorized database access and manipulation, with a public exploit available.
A high-severity SQL injection vulnerability, tracked as CVE-2026-15514, has been identified in Metasoft MetaCRM software, affecting versions up to 6.4.0 Beta06. This weakness resides within the RPCService.query function of the /customizemt/xkq/rpc.jsp component, which is part of the PHPRPC Remote Call Interface. Attackers can remotely exploit this flaw by manipulating the phprpc_args argument, injecting malicious SQL queries. This can lead to unauthorized access, modification, or exfiltration of sensitive data from the underlying database. A public exploit for this vulnerability is available, increasing the immediate risk of attacks. The vendor, Metasoft 美特软件, was notified of this vulnerability but has not yet responded to the disclosure. Organizations using affected MetaCRM versions are at significant risk of data breaches and system compromise if this vulnerability remains unpatched.
Attack Chain
- An attacker identifies a vulnerable Metasoft MetaCRM instance exposed to the internet.
- The attacker crafts a specially malformed
phprpc_argsparameter containing SQL injection payload. - The attacker sends an HTTP POST request to the
/customizemt/xkq/rpc.jspendpoint on the vulnerable server, including the maliciousphprpc_argsparameter. - The server's
RPCService.queryfunction within thePHPRPC Remote Call Interfaceprocesses the request without proper sanitization. - The injected SQL commands are executed by the backend database, leading to unauthorized data access or manipulation.
- The attacker gains access to sensitive database information, potentially leading to data exfiltration or further system compromise.
Impact
Successful exploitation of CVE-2026-15514 can result in significant data compromise. Attackers can gain unauthorized read and write access to the MetaCRM database, potentially exfiltrating sensitive customer information, financial data, or internal business records. Manipulation of database content could lead to data integrity issues, service disruption, or even administrative account compromise if credentials are stored insecurely. The widespread use of MetaCRM in various sectors means that a successful attack could impact numerous organizations, resulting in financial losses, reputational damage, and regulatory penalties. The public availability of an exploit significantly escalates the threat level, making immediate action crucial for all affected organizations.
Recommendation
- Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts against CVE-2026-15514.
- Monitor web server logs (
category: webserver) for suspicious POST requests to/customizemt/xkq/rpc.jspcontaining SQL injection patterns in the query string. - Apply any available patches or updates from Metasoft 美特软件 addressing CVE-2026-15514 as soon as they are released. In the absence of an official patch, consider implementing a Web Application Firewall (WAF) to filter malicious input to the
/customizemt/xkq/rpc.jspendpoint.
Detection coverage 1
Detects CVE-2026-15514 Exploitation - Metasoft MetaCRM SQL Injection
highDetects exploitation attempts of CVE-2026-15514, a SQL injection vulnerability in Metasoft MetaCRM, by identifying suspicious POST requests to /customizemt/xkq/rpc.jsp with SQL keywords in the phprpc_args parameter.
Detection queries are available on the platform. Get full rules →