CVE-2025-14909
Published: 19 December 2025
Summary
CVE-2025-14909 is a medium-severity an unspecified weakness vulnerability in Jeecg Jeecg Boot. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely identification, testing, and application of the available patch to remediate the session management flaw in SysUserOnlineController.
Enforces approved access authorizations to prevent low-privileged remote attackers from manipulating user sessions via the vulnerable controller.
Applies least privilege to ensure low-privileged users cannot perform unauthorized session management operations on other users' sessions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables low-privileged remote attackers to manage user sessions in a web application, resulting in denial of service via application exploitation.
NVD Description
A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead to manage user sessions. The attack can be launched remotely. The exploit has been made…
more
available to the public and could be exploited. This patch is called b686f9fbd1917edffe5922c6362c817a9361cfbd. Applying a patch is advised to resolve this issue.
Deeper analysisAI
CVE-2025-14909 is a vulnerability affecting JeecgBoot versions up to 3.9.0, specifically in the SysUserOnlineController function located in the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. The flaw enables manipulation that allows management of user sessions.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in a low-impact availability disruption (A:L) with no confidentiality or integrity effects, as scored at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). An exploit is publicly available, enabling potential remote attacks.
Mitigation is available via the patch commit b686f9fbd1917edffe5922c6362c817a9361cfbd in the JeecgBoot GitHub repository, and applying this patch is advised. Related discussions appear in GitHub issues #9195 and #9195#issue-3719368751, with additional details on VulDB entries for CTI ID 337433 and ID 337433.
Details
- CWE(s)