BES Application Server CVE-2025-60805
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network request to a pre-resource endpoint yields sensitive data (PR:N/AV:N/AC:L); impact is confidentiality-only, so I:N and A:N.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
An issue was discovered in BESSystem BES Application Server thru 9.5.x allowing unauthorized attackers to gain sensitive information via the "pre-resource" option in bes-web.xml.
AnalysisAI
Information disclosure in BESSystem (Baolande) BES Application Server through version 9.5.x lets remote unauthenticated attackers retrieve sensitive data by abusing the "pre-resource" option in the bes-web.xml deployment descriptor. The flaw exposes protected resources or configuration content over the network with no authentication (CVSS 7.5, C:H). No public exploit identified at time of analysis, though a third-party gist referencing the issue is linked in NVD; EPSS is low at 0.34% (26th percentile).
Technical ContextAI
BES Application Server is a Java EE application server produced by Chinese vendor BESSystem (Baolande). Web application deployment is governed by a proprietary descriptor, bes-web.xml, validated against the vendor's bes-web-app_2_5-0.dtd. The "pre-resource" element in this descriptor controls how the server maps and pre-loads static or protected resources for a web application. The weakness is classified CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), meaning the resource-handling logic returns files or data that should be access-controlled, effectively bypassing intended authorization on those resources.
Affected ProductsAI
BESSystem (Baolande) BES Application Server, all versions up to and including the 9.5.x branch ("thru 9.5.x"), are reported affected. No CPE string was supplied in the input, so exact edition/build coverage is not machine-confirmed. Vendor product information is available at https://www.bessystem.com/product/0ad9b8c4d6af462b8d15723a5f25a87d/info?p=101, and the descriptor grammar referenced is http://www.bessystem.com/appserver/dtds/bes-web-app_2_5-0.dtd. No fixed version is identified in the provided references.
RemediationAI
No vendor-released patch identified at time of analysis; none of the provided references (vendor product page, DTD, third-party gist) name a fixed build. Contact BESSystem/Baolande directly for a patched release beyond 9.5.x and monitor https://www.bessystem.com/product/0ad9b8c4d6af462b8d15723a5f25a87d/info?p=101 for updates. As compensating controls, audit every deployed web application's bes-web.xml and remove or tightly scope the "pre-resource" configuration so it cannot expose protected paths; place the application server behind a reverse proxy or WAF that blocks direct requests to internal/config resource paths; and restrict network reachability of the management and application ports to trusted segments only. Trade-off: disabling or narrowing "pre-resource" may break applications that legitimately rely on pre-loaded resource mapping, so validate in staging before production rollout.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today