CVE-2025-14908
Published: 19 December 2025
Summary
CVE-2025-14908 is a medium-severity Improper Authentication (CWE-287) vulnerability in Jeecg Jeecg Boot. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like this improper authentication bypass, directly enabling application of the available patch to prevent exploitation.
Mandates enforcement of approved access control policies, directly countering the authentication bypass achieved through ID argument manipulation in the tenant controller.
Ensures identification and authentication of organizational users are robustly implemented, preventing bypass vulnerabilities in multi-tenant management functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper authentication bypass in a public-facing web application's Multi-Tenant Management Module (SysTenantController), exploitable remotely with low privileges via ID manipulation, directly enabling exploitation of a public-facing application for unauthorized access.
NVD Description
A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module. Performing manipulation of the argument ID results in improper authentication. The attack…
more
can be initiated remotely. The exploit has been released to the public and may be exploited. The patch is named e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2/67795493bdc579e489d3ab12e52a1793c4f8a0ee. It is recommended to apply a patch to fix this issue.
Deeper analysisAI
CVE-2025-14908 is an improper authentication vulnerability (CWE-287) affecting JeecgBoot versions up to 3.9.0. The flaw resides in an unknown function within the Multi-Tenant Management Module, specifically the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java. It is triggered by manipulating the ID argument, leading to authentication bypass.
The vulnerability allows remote exploitation by attackers with low privileges (PR:L), requiring no user interaction (UI:N) and low attack complexity (AC:L). Successful exploitation grants limited impact on confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3 (Medium). Attackers can initiate the exploit over the network (AV:N) without changing the scope (S:U).
Advisories recommend applying the available patch, identified by the GitHub commit e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2 or the hash 67795493bdc579e489d3ab12e52a1793c4f8a0ee. Additional details are documented in JeecgBoot GitHub issue #9196 and VulDB entries (ctiid.337432, id.337432).
An exploit for this vulnerability has been publicly released and may be actively exploited.
Details
- CWE(s)