Which versions of Jinher OA are affected by CVE-2025-7523?

Jinher OA systems are vulnerable to XML External Entity (XXE) attacks through a publicly disclosed exploit with no patch currently available.

Is there a public PoC exploit available for CVE-2025-7523?

Yes, a public proof-of-concept exploit is available for CVE-2025-7523. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-7523?

Within 24 hours: Inventory all Jinher OA 1.0 installations and restrict network access to the /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx endpoint. Within 7 days: Deploy WAF rules to block XXE payloads and implement application-level input validation; consider disabling the DelTemp.aspx functionality if not business-critical. Within 30 days: Engage Jinher for patch availability timeline; evaluate migration to patched versions or alternative solutions; conduct forensic review for signs of exploitation.

Jinher OA CVE-2025-7523

Q: What is the CVSS score of CVE-2025-7523?

CVE-2025-7523 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2025-21250 MEDIUM

Externally Controlled Reference to a Resource in Another Sphere (CWE-610)

2025-07-13 cna@vuldb.com

XXE

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 16, 2026 - 09:18 euvd

EUVD-2025-21250

Analysis Generated

Mar 16, 2026 - 09:18 vuln.today

PoC Detected

Aug 26, 2025 - 12:37 vuln.today

Public exploit code

CVE Published

Jul 13, 2025 - 07:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability was found in Jinher OA 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-7523 is an XML External Entity (XXE) injection vulnerability in Jinher OA 1.0 affecting the /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx endpoint. An unauthenticated remote attacker can exploit this to read sensitive files, modify data, or cause denial of service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

Technical ContextAI

The vulnerability is classified as CWE-610 (Externally Controlled Reference to a Resource in Another Sphere), a variant of XXE injection. The affected endpoint (DelTemp.aspx) is an ASP.NET web form component within Jinher OA's messaging module that improperly processes XML input without disabling external entity resolution. Jinher OA is a Chinese office automation platform built on Microsoft .NET/ASP.NET technology. The vulnerability likely exists in XML parsing libraries (System.Xml namespace in .NET) that process untrusted input from client requests without XXE protections such as DTD disabling or entity resolver restrictions. This is a server-side request forgery (SSRF)-adjacent attack class where attackers can reference external XML entities to exfiltrate local files or internal network resources.

RemediationAI

Immediate actions: (1) Apply vendor patch from Jinher—contact Jinher support for security updates addressing CVE-2025-7523; (2) If patch unavailable, disable or restrict access to /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx via firewall/WAF rules; (3) Implement network segmentation to limit access to Jinher OA from untrusted networks; (4) Apply XXE-specific mitigations in ASP.NET: disable DTD processing, disable external entity resolution in System.Xml.XmlDocument and XmlTextReader (set ProhibitDtd=true, XmlResolver=null). Long-term: upgrade to patched Jinher OA version when released; implement input validation and XML schema enforcement; deploy WAF rules to detect XXE payloads (DOCTYPE detection, entity declarations).

CVE-2025-7523 vulnerability details – vuln.today

Back