Cyber Resilience

CVE-2025-51743

CriticalRCE

Published: 25 November 2025

Published
25 November 2025
Modified
02 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-51743 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jishenghua Jsherp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-51743 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) discovered in jishenghua JSH_ERP version 2.3.1. It affects the /materialCategory/addMaterialCategory endpoint, which is vulnerable to fastjson deserialization attacks, mapped to CWE-502 (Deserialization of Untrusted Data). Published on 2025-11-25, this flaw enables insecure processing of untrusted data in the ERP system's material category management functionality.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no authentication privileges or user interaction. Exploitation involves sending a crafted request to the vulnerable endpoint, triggering deserialization of malicious fastjson payloads. This can result in high-impact compromise, including arbitrary code execution, data exfiltration, modification, or denial of service on the affected server.

Mitigation details and further technical analysis are available in referenced advisories, including the discovery report at https://blog.hackpax.top/jsh-erp2/, a proof-of-concept at https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9, and the vendor's repositories at https://gitee.com/jishenghua and https://gitee.com/jishenghua/JSH_ERP. Security practitioners should review these for patching guidance or workarounds specific to JSH_ERP deployments.

EU & UK References

Vulnerability details

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated deserialization flaw in a public-facing web endpoint, directly enabling exploitation of public-facing applications for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-51742Same product: Jishenghua Jsherp
CVE-2025-51746Same product: Jishenghua Jsherp
CVE-2025-51744Same product: Jishenghua Jsherp
CVE-2025-51745Same product: Jishenghua Jsherp
CVE-2026-1546Same product: Jishenghua Jsherp
CVE-2025-60801Same product: Jishenghua Jsherp
CVE-2025-7947Same product: Jishenghua Jsherp
CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502

Affected Assets

jishenghua
jsherp
≤ 2.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching and flaw remediation for the fastjson deserialization vulnerability in JSH_ERP directly eliminates the root cause of CVE-2025-51743 exploitation.

prevent

Information input validation on the /materialCategory/addMaterialCategory endpoint prevents deserialization of malicious fastjson payloads from untrusted sources.

preventdetect

Boundary protection with web application firewalls monitors and blocks crafted network requests targeting the unauthenticated deserialization endpoint.

References