CVE-2025-9602

Summary

A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

Affected Software

VendorProductVersion RangeStatus
XinhuRockOA2.6.0affected
XinhuRockOA2.6.1affected
XinhuRockOA2.6.2affected
XinhuRockOA2.6.3affected
XinhuRockOA2.6.4affected
XinhuRockOA2.6.5affected
XinhuRockOA2.6.6affected
XinhuRockOA2.6.7affected
XinhuRockOA2.6.8affected
XinhuRockOA2.6.9affected

Weaknesses

  • CWE-285: Improper Authorization
  • CWE-266: Incorrect Privilege Assignment

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References