CVE-2025-5679

Summary

A vulnerability classified as critical has been found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected is the function parseStrByFreeMarker of the file /src/main/java/com/dstz/sys/rest/controller/SysToolsController.java. The manipulation of the argument str leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Affected Software

VendorProductVersion RangeStatus
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.0affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.1affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.2affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.3affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.4affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.5.0affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References