CVE-2025-10816 Overview
A critical XML External Entity (XXE) vulnerability has been discovered in Jinher OA 2.0, a widely-used office automation system. The vulnerability exists within the XML Handler component, specifically affecting the file /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx/?text=GetUrl&style=add. Attackers can exploit this flaw remotely without authentication to perform XXE attacks, potentially leading to information disclosure, server-side request forgery, or denial of service conditions.
Critical Impact
Remote attackers can exploit the XXE vulnerability to read sensitive files, perform SSRF attacks, or cause service disruption on affected Jinher OA 2.0 installations without requiring authentication.
Affected Products
- Jinher OA 2.0
- Systems running the affected XML Handler component
- Deployments exposing /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx endpoint
Discovery Timeline
- 2025-09-22 - CVE-2025-10816 published to NVD
- 2025-10-03 - Last updated in NVD database
Technical Details for CVE-2025-10816
Vulnerability Analysis
CVE-2025-10816 is an XML External Entity (XXE) vulnerability that stems from improper handling of XML input in Jinher OA's XML Handler component. The vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference) and CWE-610 (Externally Controlled Reference to a Resource in Another Sphere).
The affected endpoint at /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx fails to properly validate or sanitize XML input before processing. This allows attackers to inject malicious external entity references into XML documents, which the server then processes without adequate security controls.
The attack can be executed remotely over the network without requiring any user interaction or prior authentication, making it particularly dangerous for internet-facing Jinher OA installations. The exploit has been publicly disclosed, increasing the risk of opportunistic attacks against vulnerable systems.
Root Cause
The root cause of this vulnerability lies in the insecure configuration of the XML parser within the GetWordFileName.aspx component. The XML processor does not properly disable external entity resolution, allowing attackers to define external entities that reference local files, internal network resources, or external URLs. When the XML document containing these malicious entities is parsed, the server attempts to resolve these references, potentially exposing sensitive information or enabling further attacks.
Attack Vector
The attack is initiated remotely through the network by sending a crafted HTTP request to the vulnerable endpoint. The attacker constructs a malicious XML payload containing external entity declarations that reference sensitive local files (such as /etc/passwd on Linux systems or C:\Windows\win.ini on Windows) or internal network resources. When the vulnerable XML Handler processes this input, it resolves the external entities and may return the contents of the referenced resources in the response, or trigger outbound connections to attacker-controlled servers.
The vulnerability requires no authentication or user interaction, making it exploitable by any attacker who can reach the vulnerable endpoint over the network. The attack typically involves sending a POST request with a specially crafted XML body containing DTD declarations with external entity references.
For detailed technical analysis and proof-of-concept information, refer to the GitHub CVE Issue and VulDB Entry #325174.
Detection Methods for CVE-2025-10816
Indicators of Compromise
- Unusual HTTP requests to /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx containing XML payloads with DOCTYPE declarations
- Server logs showing requests with ENTITY declarations or references to file://, http://, or ftp:// protocols in request bodies
- Outbound connections from the web server to unexpected external hosts
- Access attempts to sensitive system files from the web application process
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing XXE patterns such as <!DOCTYPE, <!ENTITY, and SYSTEM keywords in XML payloads
- Deploy network-based intrusion detection systems (IDS) with signatures for XXE attack patterns targeting the affected endpoint
- Monitor web server access logs for repeated requests to GetWordFileName.aspx with suspicious query parameters
- Configure endpoint detection and response (EDR) solutions to alert on the web server process attempting to read sensitive system files
Monitoring Recommendations
- Enable verbose logging on web servers hosting Jinher OA to capture full request bodies for forensic analysis
- Set up real-time alerting for requests containing XML external entity patterns to the affected endpoint
- Monitor network traffic for outbound connections from the Jinher OA server to unexpected destinations, which may indicate successful XXE exploitation with out-of-band data exfiltration
How to Mitigate CVE-2025-10816
Immediate Actions Required
- Restrict network access to the vulnerable endpoint /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx using firewall rules or web server access controls
- Deploy a Web Application Firewall (WAF) with rules to block XML payloads containing external entity declarations
- Isolate affected Jinher OA instances from sensitive internal network resources until patched
- Monitor systems for signs of exploitation and review access logs for suspicious activity
Patch Information
At the time of publication, no official vendor patch has been confirmed for this vulnerability. Organizations should contact Jinher directly for security updates and remediation guidance. Monitor VulDB Entry #325174 and vendor communication channels for patch availability announcements.
Workarounds
- Disable external entity processing in the XML parser configuration if accessible through application settings
- Implement network segmentation to prevent the Jinher OA server from accessing sensitive internal resources
- Use a reverse proxy or WAF to sanitize incoming requests and strip potentially malicious XML constructs before they reach the application
- Consider temporarily disabling the affected ToolBar functionality if it is not business-critical until a patch is available
# Example WAF rule to block XXE patterns (ModSecurity)
SecRule REQUEST_BODY "@rx <!ENTITY\s+\S+\s+SYSTEM" \
"id:100001,phase:2,deny,status:403,msg:'XXE Attack Attempt Blocked',log"
# Network restriction example (iptables)
# Restrict access to the vulnerable endpoint from external networks
iptables -A INPUT -p tcp --dport 80 -m string --string "GetWordFileName.aspx" --algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
