CVE-2025-60803
📋 TL;DR
Antabot White-Jotter contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands on affected systems without authentication. This affects all deployments running White-Jotter up to commit 9bcadc, potentially compromising the entire server.
💻 Affected Systems
- Antabot White-Jotter
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, or establish persistent backdoors.
Likely Case
Attackers gain shell access to the server, deploy cryptocurrency miners, ransomware, or use the system for further attacks.
If Mitigated
Attack blocked at network perimeter or application firewall; no impact if proper segmentation and controls exist.
🎯 Exploit Status
Exploit uses path traversal to bypass authentication and execute commands; trivial for attackers with basic knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit after 9bcadc
Vendor Advisory: https://github.com/Antabot/White-Jotter/issues/162
Restart Required: Yes
Instructions:
1. Update to latest White-Jotter version after commit 9bcadc. 2. Restart the application service. 3. Verify the /api/aaa;/../register endpoint is no longer accessible or properly secured.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allUse web server or firewall to block access to the vulnerable endpoint
# For nginx: location ~* /api/aaa { deny all; }
# For Apache: <Location /api/aaa> Require all denied </Location>
Network Segmentation
linuxRestrict access to White-Jotter to trusted networks only
# Firewall rule example: iptables -A INPUT -p tcp --dport [WHITE-JOTTER-PORT] -s [TRUSTED-NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [WHITE-JOTTER-PORT] -j DROP
🧯 If You Can't Patch
- Immediately isolate affected systems from internet and critical networks
- Implement strict network monitoring and alerting for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Test if /api/aaa;/../register endpoint is accessible and responds without authenticationCheck Version:
git log --oneline -1 (to check current commit hash)Verify Fix Applied:
Verify the endpoint returns proper authentication error or 404 after update📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to /api/aaa;/../register
- System command execution from web process
- Failed authentication attempts followed by successful access
Network Indicators:
- Unusual outbound connections from White-Jotter server
- Traffic patterns suggesting command execution
SIEM Query:
source="web_access.log" AND (uri="/api/aaa*" OR uri="*/../register")