Skip to main content

BES Application Server CVE-2025-60805

HIGH
Information Exposure (CWE-200)
2025-10-28 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network request to a pre-resource endpoint yields sensitive data (PR:N/AV:N/AC:L); impact is confidentiality-only, so I:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:12 vuln.today

DescriptionCVE.org

An issue was discovered in BESSystem BES Application Server thru 9.5.x allowing unauthorized attackers to gain sensitive information via the "pre-resource" option in bes-web.xml.

AnalysisAI

Information disclosure in BESSystem (Baolande) BES Application Server through version 9.5.x lets remote unauthenticated attackers retrieve sensitive data by abusing the "pre-resource" option in the bes-web.xml deployment descriptor. The flaw exposes protected resources or configuration content over the network with no authentication (CVSS 7.5, C:H). No public exploit identified at time of analysis, though a third-party gist referencing the issue is linked in NVD; EPSS is low at 0.34% (26th percentile).

Technical ContextAI

BES Application Server is a Java EE application server produced by Chinese vendor BESSystem (Baolande). Web application deployment is governed by a proprietary descriptor, bes-web.xml, validated against the vendor's bes-web-app_2_5-0.dtd. The "pre-resource" element in this descriptor controls how the server maps and pre-loads static or protected resources for a web application. The weakness is classified CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), meaning the resource-handling logic returns files or data that should be access-controlled, effectively bypassing intended authorization on those resources.

Affected ProductsAI

BESSystem (Baolande) BES Application Server, all versions up to and including the 9.5.x branch ("thru 9.5.x"), are reported affected. No CPE string was supplied in the input, so exact edition/build coverage is not machine-confirmed. Vendor product information is available at https://www.bessystem.com/product/0ad9b8c4d6af462b8d15723a5f25a87d/info?p=101, and the descriptor grammar referenced is http://www.bessystem.com/appserver/dtds/bes-web-app_2_5-0.dtd. No fixed version is identified in the provided references.

RemediationAI

No vendor-released patch identified at time of analysis; none of the provided references (vendor product page, DTD, third-party gist) name a fixed build. Contact BESSystem/Baolande directly for a patched release beyond 9.5.x and monitor https://www.bessystem.com/product/0ad9b8c4d6af462b8d15723a5f25a87d/info?p=101 for updates. As compensating controls, audit every deployed web application's bes-web.xml and remove or tightly scope the "pre-resource" configuration so it cannot expose protected paths; place the application server behind a reverse proxy or WAF that blocks direct requests to internal/config resource paths; and restrict network reachability of the management and application ports to trusted segments only. Trade-off: disabling or narrowing "pre-resource" may break applications that legitimately rely on pre-loaded resource mapping, so validate in staging before production rollout.

Share

CVE-2025-60805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy