CVE-2025-14909

MediumPublic PoC

Published: 19 December 2025

Published

19 December 2025

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

EPSS Score 0.0013 32.0th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead to manage user sessions. The attack can be launched remotely. The exploit has been made…

available to the public and could be exploited. This patch is called b686f9fbd1917edffe5922c6362c817a9361cfbd. Applying a patch is advised to resolve this issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely identification, testing, and application of the available patch to remediate the session management flaw in SysUserOnlineController.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations to prevent low-privileged remote attackers from manipulating user sessions via the vulnerable controller.

AC-6 Least Privilege good match

prevent

Applies least privilege to ensure low-privileged users cannot perform unauthorized session management operations on other users' sessions.

Security SummaryAI

CVE-2025-14909 is a vulnerability affecting JeecgBoot versions up to 3.9.0, specifically in the SysUserOnlineController function located in the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. The flaw enables manipulation that allows management of user sessions.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation results in a low-impact availability disruption (A:L) with no confidentiality or integrity effects, as scored at CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L). An exploit is publicly available, enabling potential remote attacks.

Mitigation is available via the patch commit b686f9fbd1917edffe5922c6362c817a9361cfbd in the JeecgBoot GitHub repository, and applying this patch is advised. Related discussions appear in GitHub issues #9195 and #9195#issue-3719368751, with additional details on VulDB entries for CTI ID 337433 and ID 337433.

Details

CWE(s): CWE-1018 NVD-CWE-noinfo

Affected Products

jeecg

jeecg boot

≤ 3.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability enables low-privileged remote attackers to manage user sessions in a web application, resulting in denial of service via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/jeecgboot/JeecgBoot/commit/b686f9fbd1917edffe5922c6362c817a9361cfbd
Patch · cna@vuldb.com
https://github.com/jeecgboot/JeecgBoot/issues/9195
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://github.com/jeecgboot/JeecgBoot/issues/9195#issue-3719368751
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.337433
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.337433
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.715743
Exploit, Third Party Advisory, VDB Entry · cna@vuldb.com