CVE-2025-60801
Published: 24 October 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-60801 is an unauthenticated remote code execution (RCE) vulnerability affecting jshERP up to commit fbda24da. The issue stems from the jsh_erp function and is categorized under CWE-77 (Command Injection). It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.
The vulnerability enables exploitation by unauthenticated remote attackers with network access to the affected jshERP instance. By interacting with the vulnerable jsh_erp function, attackers can execute arbitrary commands on the server, achieving high integrity impact such as unauthorized data modification, alongside limited confidentiality exposure and no availability disruption.
Mitigation details are referenced in the GitHub issue tracker for jshERP at https://github.com/jishenghua/jshERP/issues/132 and a related advisory at https://fushuling.com/index.php/2025/08/17/%e7%bb%95%e8%bf%87%e8%a1%a5%e4%b8%8c%e5%86%8d%e6%ac%a1%e5%ae%9e%e7%8e%b0%e5%8d%8e%e5%a4%8ferp%e6%9c%aa%e6%8e%88%e6%9d%83rce%e5%b7%b2%e4%bf%ae%e5%a4%8d/. Security practitioners should update to commits beyond fbda24da to address the flaw.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated RCE via command injection in public-facing jshERP application directly enables T1190 (Exploit Public-Facing Application) and facilitates T1059 (Command and Scripting Interpreter) for arbitrary command execution.