CVE-2025-5680

Summary

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Affected Software

VendorProductVersion RangeStatus
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.0affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.1affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.2affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.3affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.4affected
Shenzhen Dashi Tongzhou Information TechnologyAgileBPM2.5.0affected

Weaknesses

  • CWE-502: Deserialization
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References