CVE-2025-5522
📋 TL;DR
This critical vulnerability in the jack0240 bskms 蓝天幼儿园管理系统 (Blue Sky Kindergarten Management System) allows unauthorized attackers to create user accounts remotely via the /sa/addUser endpoint due to improper authorization. All deployments up to commit dffe6640b5b54d8e29da6f060e0493fea74b3fad are affected, and the exploit is publicly available.
💻 Affected Systems
- jack0240 bskms 蓝天幼儿园管理系统 (Blue Sky Kindergarten Management System)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create administrative accounts, gain full system control, access sensitive student/parent data, and potentially pivot to other systems.
Likely Case
Unauthorized user creation leading to privilege escalation, data theft, and system compromise.
If Mitigated
Limited impact with proper network segmentation, strong authentication, and monitoring detecting unauthorized account creation.
🎯 Exploit Status
Exploit details are publicly disclosed in the Gitee issue, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit after dffe6640b5b54d8e29da6f060e0493fea74b3fad
Vendor Advisory: https://gitee.com/jack0240/bskms/issues/ICAOOU
Restart Required: Yes
Instructions:
1. Pull latest code from repository. 2. Verify commit hash is newer than dffe6640b5b54d8e29da6f060e0493fea74b3fad. 3. Restart application service. 4. Test /sa/addUser endpoint requires proper authorization.
🔧 Temporary Workarounds
Block /sa/addUser endpoint
allTemporarily block access to the vulnerable endpoint using web server or firewall rules.
# For nginx: location /sa/addUser { deny all; }
# For Apache: <Location /sa/addUser> Require all denied </Location>
# For firewall: iptables -A INPUT -p tcp --dport [APP_PORT] -m string --string "/sa/addUser" --algo bm -j DROP
Implement authentication proxy
allPlace application behind reverse proxy that enforces authentication before reaching vulnerable endpoint.
🧯 If You Can't Patch
- Isolate the system in a restricted network segment with no internet access
- Implement strict network ACLs allowing only trusted IPs to access the application
🔍 How to Verify
Check if Vulnerable:
Check if commit hash is dffe6640b5b54d8e29da6f060e0493fea74b3fad or older in the application directory: git log --oneline -1Check Version:
git log --oneline -1Verify Fix Applied:
Test if /sa/addUser endpoint now requires proper authentication/authorization and rejects unauthorized requests.📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /sa/addUser
- User creation from unexpected IP addresses
- Multiple failed authorization attempts followed by successful user creation
Network Indicators:
- HTTP POST requests to /sa/addUser without authentication headers
- Traffic spikes to user creation endpoint
SIEM Query:
source="web_logs" AND uri_path="/sa/addUser" AND (http_method="POST" OR status_code=200) AND NOT (user_agent="legitimate_tool" OR src_ip IN [trusted_ips])