CVE-2025-10090

HighPublic PoC

Published: 08 September 2025

Published

08 September 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0173 82.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10090 is a high-severity Injection (CWE-74) vulnerability in Jinher Jinher Oa. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by requiring validation of untrusted inputs such as the vulnerable ID parameter in GetTreeDate.aspx.

SI-2 Flaw Remediation good match

prevent

SI-2 addresses this specific SQL injection flaw through timely identification, testing, and installation of software patches for Jinher OA.

RA-5 Vulnerability Monitoring and Scanning good match

detectrespond

RA-5 detects the SQL injection vulnerability via scanning exposed Jinher OA instances and drives remediation based on risk.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unauthenticated SQL injection in public-facing Jinher OA web application (/C6/Jhsoft.Web.departments/GetTreeDate.aspx?id=) enables remote exploitation for initial access (T1190) and abuse of server software component via arbitrary SQL execution (T1505), potentially leading to data access, escalation, or RCE.

NVD Description

A flaw has been found in Jinher OA up to 1.2. The impacted element is an unknown function of the file /C6/Jhsoft.Web.departments/GetTreeDate.aspx. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The…

exploit has been published and may be used.

Deeper analysisAI

CVE-2025-10090 is a SQL injection vulnerability affecting Jinher OA versions up to 1.2. The flaw resides in an unknown function within the file /C6/Jhsoft.Web.departments/GetTreeDate.aspx, where manipulation of the ID argument enables SQL injection. It is associated with CWE-74 and CWE-89, and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remote unauthenticated attackers can exploit this vulnerability with low attack complexity. By crafting malicious requests targeting the ID parameter, attackers can inject SQL payloads, potentially leading to unauthorized access, data manipulation, or other SQL injection consequences aligned with the low impacts on confidentiality, integrity, and availability indicated by the CVSS score.

Advisories provide further details via references including https://github.com/Cstarplus/CVE/issues/1, https://vuldb.com/?ctiid.323045, https://vuldb.com/?id.323045, and https://vuldb.com/?submit.644635. The exploit has been published and may be used by attackers.

The vulnerability was published on 2025-09-08T10:15:35.710, highlighting the need for immediate assessment of exposed Jinher OA instances.

Details

CWE(s): CWE-74 CWE-89

Affected Products

jinher

jinher oa

≤ 1.2

CVEs Like This One

CVE-2025-2927Shared CWE-74, CWE-89

CVE-2025-1843Shared CWE-74, CWE-89

CVE-2025-3039Shared CWE-74, CWE-89

CVE-2025-0843Shared CWE-74, CWE-89

CVE-2025-7180Shared CWE-74, CWE-89

CVE-2025-7165Shared CWE-74, CWE-89

CVE-2025-2382Shared CWE-74, CWE-89

CVE-2025-1841Shared CWE-74, CWE-89

CVE-2025-2675Shared CWE-74, CWE-89

CVE-2025-0232Shared CWE-74, CWE-89

References

https://github.com/Cstarplus/CVE/issues/1
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.323045
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.323045
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.644635
Third Party Advisory, VDB Entry · cna@vuldb.com