CVE Alert: CVE-2025-10091 – Jinher – OA
CVE-2025-10091
A vulnerability has been found in Jinher OA up to 1.2. This affects an unknown function of the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add of the component XML Handler. The manipulation leads to xml external entity reference. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
AI Summary Analysis
Risk verdict
High risk with public PoC and remote exploitation visible; treat as a priority for immediate remediation.
Why this matters
The issue is an XML External Entity (XXE) vulnerability in Jinher OA’s XML Handler, enabling remote access without authentication. Successful exploitation can lead to data exposure from the server and potential targeted reads of sensitive configuration or filesystem contents, aligning with a high-severity attack surface despite modest impact on availability.
Most likely attack path
An attacker sends crafted XML to the XmlHttp.aspx endpoint without authentication or user interaction. The XML processor resolves external entities, allowing local or internal resource access and potential SSRF, with attacker-controlled input. Privileges required are none, and the impact is limited to data leakage and possible integrity exposure, not broad system takeover.
Who is most exposed
Any organisation running Jinher OA web-facing instances (versions up to 1.2) with the XML Handler enabled is at risk, particularly in document/workflow portals exposed to the internet or poorly segregated internal networks.
Detection ideas
- Look for requests containing DOCTYPE/ENTITY patterns targeting XmlHttp.aspx with large XML payloads.
- Unusual outbound connections from the server during XML processing.
- Logs showing attempted access to local files or internal endpoints during XML parsing.
- WAF/IDS alerts for XXE signatures or known exploit traces.
- Presence of public PoC indicators in traffic or SIEM detections.
Mitigation and prioritisation
- Patch to a fixed version or upgrade to the vendor-supported release; apply as priority if KEV or EPSS guidance is active (treat as priority 1).
- If patching is not immediately possible, disable or constrain external entity processing in the XML parser.
- Implement input sanitisation and restrict the XmlHttp.aspx endpoint exposure (network segmentation, access controls).
- Enable strict monitoring and deploy relevant WAF/IPS rules for XXE.
- Review change management to validate patch deployment across all affected instances.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
