CRITICAL🇵🇱 Wersja polska

CVE-2025-45854

CVSS 10.0v3.1pub. 2025-06-03upd. 2025-08-26

/server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.

🤖 AI Analysis
How it works

The /server/executeExec endpoint in JEHC-BPM 2.0.1 accepts execution parameters (execParams) without required authorization and without proper input data validation (CWE-862: missing authorization). An attacker can send a crafted network request containing malicious execParams, which are then executed on the server side. The vulnerability is remotely accessible, requires no authentication, and requires no user interaction.

Impact

An attacker can gain full control over the server by executing arbitrary code with the privileges of the application process, which may lead to data theft, installation of backdoors, or complete system compromise. Due to the scope of impact covering confidentiality, integrity, and availability, the consequences may also affect related systems (Scope: Changed).

Mitigation & patch

Apply patches available from the vendor according to the references. Until the fix is implemented, it is recommended to restrict network access to the /server/executeExec endpoint using firewall rules or rules at the application server level, and block access from public networks.

Who is affected

JEHC-BPM version 2.0.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Jehc Bpm

    APP
    Jehc
    ≤ 2.0.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References