CVE-2025-51746
Published: 25 November 2025
Description
An issue was discovered in jishenghua JSH_ERP 2.3.1. The /serialNumber/addSerialNumber endpoint is vulnerable to fastjson deserialization attacks.
Mitigating Controls (NIST 800-53 r5)AI
Directly validates untrusted inputs to the /serialNumber/addSerialNumber endpoint, preventing fastjson deserialization of malicious payloads leading to RCE.
Remediates the specific deserialization flaw in JSH_ERP 2.3.1 by identifying, patching, and testing updates to the vulnerable fastjson usage.
Enforces boundary protection at web interfaces using WAF or proxies to inspect and block deserialization attack payloads targeting the unauthenticated endpoint.
Security SummaryAI
CVE-2025-51746, published on 2025-11-25, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in jishenghua JSH_ERP version 2.3.1. The issue affects the /serialNumber/addSerialNumber endpoint, which is vulnerable to fastjson deserialization attacks, corresponding to CWE-502 (Deserialization of Untrusted Data).
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no authentication, privileges, or user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, potentially allowing arbitrary code execution on the affected system.
Mitigation details and further technical analysis are available in referenced resources, including https://blog.hackpax.top/jsh-erp5/, https://gist.github.com/Paxsizy/cd1557aeba8093a8650601c4dbffb6f9, https://gitee.com/jishenghua, and https://gitee.com/jishenghua/JSH_ERP.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote, unauthenticated deserialization flaw (CWE-502) in a public-facing web endpoint (/serialNumber/addSerialNumber) enabling arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.