CVE-2025-2365
📋 TL;DR
This vulnerability allows remote attackers to perform XML External Entity (XXE) attacks through the webHook function in crmeb_java's WeChatMessageController. Attackers can potentially read sensitive files, cause denial of service, or perform server-side request forgery. All users running crmeb_java versions up to 1.3.4 are affected.
💻 Affected Systems
- crmeb_java
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through file disclosure, SSRF attacks, or denial of service via entity expansion attacks.
Likely Case
Sensitive file disclosure from the server, including configuration files, credentials, or internal data.
If Mitigated
Limited impact if XML parsing is disabled or properly configured to reject external entities.
🎯 Exploit Status
Public exploit available on GitHub, requires sending specially crafted XML to vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: unknown
Vendor Advisory: none
Restart Required: No
Instructions:
No official patch available. Upgrade to version above 1.3.4 if available, or implement workarounds.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure XML parser to disable external entity processing
Modify WeChatMessageController.java to set XML parser properties: FEATURE_SECURE_PROCESSING = true, DISALLOW_DOCTYPE_DECL = true
Input validation and filtering
allImplement strict input validation to reject XML containing external entity references
Add input validation in webHook method to detect and reject XXE patterns
🧯 If You Can't Patch
- Implement network segmentation to restrict access to vulnerable endpoints
- Deploy web application firewall with XXE protection rules
🔍 How to Verify
Check if Vulnerable:
Check if running crmeb_java version ≤1.3.4 and webHook endpoint accepts XML inputCheck Version:
Check application version in configuration files or via application interfaceVerify Fix Applied:
Test with XXE payloads to confirm they are rejected or fail to execute📡 Detection & Monitoring
Log Indicators:
- Unusual XML payloads in webHook requests
- File read attempts in logs
- External entity references in request data
Network Indicators:
- HTTP requests to webHook endpoint with XML containing DOCTYPE declarations
- Outbound connections initiated by server to external URLs
SIEM Query:
source="webhook" AND (payload CONTAINS "<!DOCTYPE" OR payload CONTAINS "SYSTEM")