Cyber Resilience

CVE-2025-57773

HighPublic PoCRCE

Published: 25 August 2025

Published
25 August 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 69.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57773 is a high-severity Code Injection (CWE-94) vulnerability in Dataease Dataease. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-57773 is a critical vulnerability in DataEase, an open source business intelligence and data visualization tool. In versions prior to 2.10.12, DB2 parameters are not properly filtered, enabling a JNDI injection attack. This injection triggers an AspectJWeaver deserialization attack, allowing arbitrary file writes. The issue, associated with CWE-94 (code injection) and CWE-502 (deserialization of untrusted data), requires the presence of commons-collections 4.x and aspectjweaver-1.9.22.jar, and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. By injecting malicious JNDI payloads via unfiltered DB2 parameters, attackers trigger deserialization through AspectJWeaver, enabling writes to various files on the target system. This can lead to severe impacts, including high confidentiality, integrity, and availability disruptions, such as remote code execution or system compromise.

The vulnerability has been fixed in DataEase version 2.10.12. Security practitioners should upgrade to this version immediately. Relevant details are available in the project's GitHub security advisory (GHSA-7r8j-6whv-4j5p) and the fixing commit (8d04e92d44e1bac9284e9e64df5afd7f96d9373c).

EU & UK References

Vulnerability details

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files. This…

more

vulnerability requires commons-collections 4.x and aspectjweaver-1.9.22.jar. The vulnerability has been fixed in version 2.10.12.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

JNDI injection in DB2 parameters enables deserialization via AspectJWeaver, resulting in arbitrary file write on the DataEase server. This facilitates exploitation of a public-facing BI web application (T1190) and deployment of web shells for persistence and remote code execution (T1100).

CVEs Like This One

CVE-2024-57707Same product: Dataease Dataease
CVE-2025-58748Same product: Dataease Dataease
CVE-2025-57772Same product: Dataease Dataease
CVE-2025-64164Same product: Dataease Dataease
CVE-2025-58046Same product: Dataease Dataease
CVE-2026-40901Same product: Dataease Dataease
CVE-2025-62420Same product: Dataease Dataease
CVE-2025-64428Same product: Dataease Dataease
CVE-2025-58045Same product: Dataease Dataease
CVE-2024-56511Same product: Dataease Dataease

Affected Assets

dataease
dataease
≤ 2.10.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation through patching to DataEase version 2.10.12, which fixes the unfiltered DB2 parameters.

prevent

Prevents JNDI injection attacks by validating and filtering untrusted inputs in DB2 parameters before processing.

detect

Detects unauthorized file writes resulting from the AspectJWeaver deserialization exploit through software and file integrity verification.

References