cbcvebase.
CVE-2025-45854
published 2025-06-03

CVE-2025-45854: /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.

PriorityP267critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
2.69%
84.0th percentile
/server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.

Affected

2 ranges
VendorProductVersion rangeFixed in
jehcjehc-bpm<= 2.0.1
jehcjehc-bpm

Detection & IOCsextracted from sources · hover to see the quote

url/server/executeExec
commandPOST /server/executeExec HTTP/1.1 Content-Type: application/x-www-form-urlencoded {"actuator":{"clientIp":"127.0.0.1","port":8082,"applicationName":"testApp","env":"prod","uploadTime":1704523200000,"hasPrefixApplicationName":false,"clientHttpPrefix":"http"},"execParams":{"command":"id"}}
yara
regex: uid=[0-9]+.*gid=[0-9]+.*
  • Detect exploitation attempts by monitoring for unauthenticated POST requests to /server/executeExec with a JSON body containing the 'execParams' key and a 'command' field.
  • Fingerprint JEHC-BPM instances by searching for the strings 'JEHC' or 'XSHI' in HTTP response bodies (case-insensitive), as used in the nuclei template pre-check.
  • FOFA query 'body="JEHC"' can be used to identify internet-exposed JEHC-BPM instances potentially vulnerable to this RCE.
  • Successful exploitation returns HTTP 200 with a response body matching 'uid=[0-9]+.*gid=[0-9]+.*', indicating OS command output (e.g., Linux 'id' command result).
  • The exploit payload uses Content-Type: application/x-www-form-urlencoded with a JSON body; monitor for this unusual combination on the /server/executeExec endpoint.
  • ·The vulnerability affects JEHC-BPM versions up to and including 2.0.1; the endpoint /server/executeExec is exploitable without authentication (no credentials required).
  • ·The actuator block in the exploit payload includes a hardcoded clientIp of 127.0.0.1 and port 8082, suggesting the application may perform internal loopback-based authorization that is trivially bypassed by supplying these values.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.