CVE-2025-14908

MediumPublic PoC

Published: 19 December 2025

Published

19 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0032 54.9th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module. Performing manipulation of the argument ID results in improper authentication. The attack…

can be initiated remotely. The exploit has been released to the public and may be exploited. The patch is named e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2/67795493bdc579e489d3ab12e52a1793c4f8a0ee. It is recommended to apply a patch to fix this issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like this improper authentication bypass, directly enabling application of the available patch to prevent exploitation.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved access control policies, directly countering the authentication bypass achieved through ID argument manipulation in the tenant controller.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Ensures identification and authentication of organizational users are robustly implemented, preventing bypass vulnerabilities in multi-tenant management functions.

Security SummaryAI

CVE-2025-14908 is an improper authentication vulnerability (CWE-287) affecting JeecgBoot versions up to 3.9.0. The flaw resides in an unknown function within the Multi-Tenant Management Module, specifically the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java. It is triggered by manipulating the ID argument, leading to authentication bypass.

The vulnerability allows remote exploitation by attackers with low privileges (PR:L), requiring no user interaction (UI:N) and low attack complexity (AC:L). Successful exploitation grants limited impact on confidentiality, integrity, and availability (C:L/I:L/A:L), with an overall CVSS v3.1 base score of 6.3 (Medium). Attackers can initiate the exploit over the network (AV:N) without changing the scope (S:U).

Advisories recommend applying the available patch, identified by the GitHub commit e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2 or the hash 67795493bdc579e489d3ab12e52a1793c4f8a0ee. Additional details are documented in JeecgBoot GitHub issue #9196 and VulDB entries (ctiid.337432, id.337432).

An exploit for this vulnerability has been publicly released and may be actively exploited.

Details

CWE(s): CWE-287

Affected Products

jeecg

jeecg boot

≤ 3.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an improper authentication bypass in a public-facing web application's Multi-Tenant Management Module (SysTenantController), exploitable remotely with low privileges via ID manipulation, directly enabling exploitation of a public-facing application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/jeecgboot/JeecgBoot/commit/e1c8f00bf2a2e0edddbaa8119afe1dc92d9dc1d2
Patch · cna@vuldb.com
https://github.com/jeecgboot/JeecgBoot/issues/9196
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.337432
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.337432
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.715742
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com