CVE-2025-51743

Critical

Published: 25 November 2025

Published

25 November 2025

Modified

02 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue was discovered in jishenghua JSH_ERP 2.3.1. The /materialCategory/addMaterialCategory endpoint is vulnerable to fastjson deserialization attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely patching and flaw remediation for the fastjson deserialization vulnerability in JSH_ERP directly eliminates the root cause of CVE-2025-51743 exploitation.

SI-10 Information Input Validation good match

prevent

Information input validation on the /materialCategory/addMaterialCategory endpoint prevents deserialization of malicious fastjson payloads from untrusted sources.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls monitors and blocks crafted network requests targeting the unauthenticated deserialization endpoint.

Security SummaryAI

CVE-2025-51743 is a critical vulnerability (CVSS score 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) discovered in jishenghua JSH_ERP version 2.3.1. It affects the /materialCategory/addMaterialCategory endpoint, which is vulnerable to fastjson deserialization attacks, mapped to CWE-502 (Deserialization of Untrusted Data). Published on 2025-11-25, this flaw enables insecure processing of untrusted data in the ERP system's material category management functionality.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no authentication privileges or user interaction. Exploitation involves sending a crafted request to the vulnerable endpoint, triggering deserialization of malicious fastjson payloads. This can result in high-impact compromise, including arbitrary code execution, data exfiltration, modification, or denial of service on the affected server.

Mitigation details and further technical analysis are available in referenced advisories, including the discovery report at https://blog.hackpax.top/jsh-erp2/, a proof-of-concept at https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9, and the vendor's repositories at https://gitee.com/jishenghua and https://gitee.com/jishenghua/JSH_ERP. Security practitioners should review these for patching guidance or workarounds specific to JSH_ERP deployments.

Details

CWE(s): CWE-502

Affected Products

jishenghua

jsherp

≤ 2.3.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote unauthenticated deserialization flaw in a public-facing web endpoint, directly enabling exploitation of public-facing applications for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blog.hackpax.top/jsh-erp2/
Broken Link · cve@mitre.org
https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9
Third Party Advisory · cve@mitre.org
https://gitee.com/jishenghua
Product · cve@mitre.org
https://gitee.com/jishenghua/JSH_ERP
Product · cve@mitre.org