Cyber Posture

CVE-2025-51746

CriticalRCE

Published: 25 November 2025

Published
25 November 2025
Modified
02 December 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 34.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-51746 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Jishenghua Jsherp. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates untrusted inputs to the /serialNumber/addSerialNumber endpoint, preventing fastjson deserialization of malicious payloads leading to RCE.

SI-2 Flaw Remediation good match
prevent

Remediates the specific deserialization flaw in JSH_ERP 2.3.1 by identifying, patching, and testing updates to the vulnerable fastjson usage.

SC-7 Boundary Protection partial match
preventdetect

Enforces boundary protection at web interfaces using WAF or proxies to inspect and block deserialization attack payloads targeting the unauthenticated endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a remote, unauthenticated deserialization flaw (CWE-502) in a public-facing web endpoint (/serialNumber/addSerialNumber) enabling arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.

Deeper analysisAI

CVE-2025-51746, published on 2025-11-25, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in jishenghua JSH_ERP version 2.3.1. The issue affects the /serialNumber/addSerialNumber endpoint, which is vulnerable to fastjson deserialization attacks, corresponding to CWE-502 (Deserialization of Untrusted Data).

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no authentication, privileges, or user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected system.

Mitigation details and further technical analysis are available in referenced resources, including https://blog.hackpax.top/jsh-erp5/, https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9, https://gitee.com/jishenghua, and https://gitee.com/jishenghua/JSH_ERP.

Details

CWE(s)
CWE-502

Affected Products

jishenghua
jsherp
≤ 2.3.1

CVEs Like This One

CVE-2025-51744Same product: Jishenghua Jsherp
CVE-2025-51742Same product: Jishenghua Jsherp
CVE-2025-51743Same product: Jishenghua Jsherp
CVE-2025-51745Same product: Jishenghua Jsherp
CVE-2026-1546Same product: Jishenghua Jsherp
CVE-2025-60801Same product: Jishenghua Jsherp
CVE-2025-7947Same product: Jishenghua Jsherp
CVE-2025-54366Shared CWE-502
CVE-2025-7916Shared CWE-502
CVE-2025-0994Shared CWE-502

References