CVE-2025-60801

HighPublic PoCRCE

Published: 24 October 2025

Published

24 October 2025

Modified

05 November 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Score 0.0019 40.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-60801 is a high-severity Command Injection (CWE-77) vulnerability in Jishenghua Jsherp. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the command injection vulnerability in the jsh_erp function by applying updates to commits beyond fbda24da as specified in the mitigation details.

SI-10 Information Input Validation good match

prevent

Prevents command injection (CWE-77) exploitation by validating and sanitizing unauthenticated inputs to the vulnerable jsh_erp function.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Blocks unauthenticated remote attackers by requiring identification and authentication for non-organizational users accessing the jshERP instance.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE via command injection in public-facing jshERP application directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059 (Command and Scripting Interpreter) for arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

jshERP up to commit fbda24da was discovered to contain an unauthenticated remote code execution (RCE) vulnerability via the jsh_erp function.

Deeper analysisAI

CVE-2025-60801 is an unauthenticated remote code execution (RCE) vulnerability affecting jshERP up to commit fbda24da. The issue stems from the jsh_erp function and is categorized under CWE-77 (Command Injection). It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

The vulnerability enables exploitation by unauthenticated remote attackers with network access to the affected jshERP instance. By interacting with the vulnerable jsh_erp function, attackers can execute arbitrary commands on the server, achieving high integrity impact such as unauthorized data modification, alongside limited confidentiality exposure and no availability disruption.

Mitigation details are referenced in the GitHub issue tracker for jshERP at https://github.com/jishenghua/jshERP/issues/132 and a related advisory at https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d/. Security practitioners should update to commits beyond fbda24da to address the flaw.