CVE-2025-1226 – This critical vulnerability in ywoa allows remo... (How to Fix)

Q: What is the severity of CVE-2025-1226?

CVE-2025-1226 has a CVSS score of 5.3 (MEDIUM). This critical vulnerability in ywoa allows remote attackers to bypass authorization controls via the /oa/setup/setup.jsp file. It affects all ywoa installations up to version 2024.07.03, potentially enabling unauthorized access to sensitive functionality. Organizations using vulnerable versions should prioritize patching.

📋 TL;DR

This critical vulnerability in ywoa allows remote attackers to bypass authorization controls via the /oa/setup/setup.jsp file. It affects all ywoa installations up to version 2024.07.03, potentially enabling unauthorized access to sensitive functionality. Organizations using vulnerable versions should prioritize patching.

💻 Affected Systems

Products:

ywoa

Versions: All versions up to and including 2024.07.03

Operating Systems: Any OS running ywoa

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default setup.jsp file and requires no special configuration to be exploitable.

📦 What is this software?

Yimioa by R1bbit

View all CVEs affecting Yimioa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to gain administrative privileges, access sensitive data, or execute arbitrary code on the server.

🟠

Likely Case

Unauthorized access to administrative functions, data exfiltration, or configuration manipulation leading to further exploitation.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication, and monitoring in place to detect unauthorized access attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploits exist, making internet-facing systems immediate targets.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable to insider threats or compromised internal hosts, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed, making this easily weaponizable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.07.04

Vendor Advisory: https://gitee.com/r1bbit/yimioa/issues/IBI7PG

Restart Required: Yes

Instructions:

1. Download ywoa version 2024.07.04 from official sources. 2. Backup current installation and data. 3. Stop ywoa service. 4. Replace files with patched version. 5. Restart ywoa service. 6. Verify functionality.

🔧 Temporary Workarounds

Block setup.jsp access

all

Restrict access to the vulnerable file using web server configuration or firewall rules

# Apache: RewriteRule ^/oa/setup/setup\.jsp$ - [F,L]
# Nginx: location ~ ^/oa/setup/setup\.jsp$ { return 403; }
# Firewall: iptables -A INPUT -p tcp --dport 80 -m string --string '/oa/setup/setup.jsp' --algo bm -j DROP

Remove setup.jsp file

linux

Delete or rename the vulnerable file if setup functionality is not required

rm /path/to/ywoa/oa/setup/setup.jsp
mv /path/to/ywoa/oa/setup/setup.jsp /path/to/ywoa/oa/setup/setup.jsp.bak

🧯 If You Can't Patch

Implement strict network access controls to limit access to ywoa only from trusted IP addresses
Deploy a web application firewall (WAF) with rules to block requests to /oa/setup/setup.jsp

🔍 How to Verify

Check if Vulnerable:

Check if /oa/setup/setup.jsp exists and is accessible without proper authorization, or verify ywoa version is 2024.07.03 or earlier

Check Version:

Check ywoa web interface admin panel or configuration files for version information

Verify Fix Applied:

Confirm ywoa version is 2024.07.04 or later, and test that /oa/setup/setup.jsp requires proper authentication or returns 403/404

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /oa/setup/setup.jsp from unauthorized IPs
Unusual authentication bypass patterns
Multiple failed authorization attempts followed by successful access

Network Indicators:

Unusual traffic patterns to setup.jsp endpoint
Requests to setup.jsp from external IPs

SIEM Query:

source="web_server" AND (url="/oa/setup/setup.jsp" OR url="*/setup.jsp") AND (response_code=200 OR auth_result="success")

📊 Metadata

CVE ID: CVE-2025-1226

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.1% exploit probability (28.2th percentile)

Published: February 12, 2025

Last Updated: August 26, 2025

🔗 References

https://gitee.com/r1bbit/yimioa/issues/IBI7PG Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.295216 Permissions Required,VDB Entry
https://vuldb.com/?id.295216 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1226, you might also want to check these: