CVE-2025-25785

CVE-2025-25785 is a Server-Side Request Forgery (SSRF) vulnerability affecting JizhiCMS version 2.5.4, specifically within the \c\PluginsController.php component. This flaw enables attackers to conduct intranet scans through a crafted request, as documented under CWE-918. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality and integrity.

Remote, unauthenticated attackers can exploit this vulnerability by sending specially crafted requests to the affected JizhiCMS instance. Successful exploitation allows them to perform intranet scans, potentially accessing internal network resources, services, or metadata that would otherwise be inaccessible from the internet. The high confidentiality and integrity impacts suggest broader risks, such as unauthorized data exfiltration or manipulation of internal systems reachable via the SSRF.

Vendor references are available at http://jizhicms.com and https://www.jizhicms.cn/, which security practitioners should consult for any advisories, patches, or mitigation guidance related to this vulnerability in JizhiCMS v2.5.4. The CVE was published on 2025-02-26T15:15:26.720.