Cyber Resilience

CVE-2025-60801

HighPublic PoCRCE

Published: 24 October 2025

Published
24 October 2025
Modified
05 November 2025
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS Score 0.0031 54.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60801 is a high-severity Command Injection (CWE-77) vulnerability in Jishenghua Jsherp. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-60801 is an unauthenticated remote code execution (RCE) vulnerability affecting jshERP up to commit fbda24da. The issue stems from the jsh_erp function and is categorized under CWE-77 (Command Injection). It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

The vulnerability enables exploitation by unauthenticated remote attackers with network access to the affected jshERP instance. By interacting with the vulnerable jsh_erp function, attackers can execute arbitrary commands on the server, achieving high integrity impact such as unauthorized data modification, alongside limited confidentiality exposure and no availability disruption.

Mitigation details are referenced in the GitHub issue tracker for jshERP at https://github.com/jishenghua/jshERP/issues/132 and a related advisory at https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d/. Security practitioners should update to commits beyond fbda24da to address the flaw.

EU & UK References

Vulnerability details

jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Unauthenticated RCE via command injection in public-facing jshERP application directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059 (Command and Scripting Interpreter) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1546Same product: Jishenghua Jsherp
CVE-2025-51742Same product: Jishenghua Jsherp
CVE-2025-51746Same product: Jishenghua Jsherp
CVE-2025-51744Same product: Jishenghua Jsherp
CVE-2025-51743Same product: Jishenghua Jsherp
CVE-2025-51745Same product: Jishenghua Jsherp
CVE-2025-7947Same product: Jishenghua Jsherp
CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77

Affected Assets

jishenghua
jsherp
≤ 2025-08-14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the command injection vulnerability in the jsh_erp function by applying updates to commits beyond fbda24da as specified in the mitigation details.

prevent

Prevents command injection (CWE-77) exploitation by validating and sanitizing unauthenticated inputs to the vulnerable jsh_erp function.

prevent

Blocks unauthenticated remote attackers by requiring identification and authentication for non-organizational users accessing the jshERP instance.

References