CVE-2023-7325 affects the Mingyu Operations and Maintenance Audit and Risk Control System developed by Anheng Information (Hangzhou DBAPP Security Information Technology Co., Ltd.). The vulnerability resides in the xmlrpc.sock handler, which processes XML-RPC requests via a Unix domain socket interface. Due to missing authentication controls (CWE-306) and the ability to perform server-side request forgery (CWE-918), an attacker can craft malicious XML-RPC requests that bypass normal access restrictions and invoke privileged RPC methods. These methods allow the creation of arbitrary user accounts on the bastion host system, effectively granting administrative control. The vulnerability requires no authentication, no user interaction, and can be exploited remotely over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) indicates network attack vector, low complexity, no privileges or user interaction needed, and high impact on confidentiality and integrity. This makes the vulnerability highly dangerous, especially since bastion hosts serve as critical gateways for secure administrative access to internal networks. The lack of available patches increases the urgency for mitigation. Exploitation in the wild has been confirmed by VulnCheck as of October 30, 2025, underscoring active threat actor interest.

For European organizations, the impact of CVE-2023-7325 is severe. Bastion hosts are often deployed in critical infrastructure, financial institutions, government agencies, and large enterprises to control and audit privileged access. Successful exploitation allows attackers to create unauthorized administrative accounts, bypassing all access controls and potentially gaining persistent footholds. This can lead to data breaches, unauthorized system modifications, lateral movement, and disruption of operations. Confidentiality and integrity of sensitive data and systems are at high risk. Given the critical role of bastion hosts, availability may also be indirectly affected if attackers disable or manipulate these systems. The vulnerability's remote exploitability without authentication makes it a prime target for attackers aiming to compromise European organizations that use this product or similar bastion host solutions. Additionally, the lack of patches means organizations must rely on compensating controls to reduce risk.

1. Immediate network segmentation: Restrict access to the xmlrpc.sock interface to trusted management networks only, using firewall rules or network ACLs. 2. Implement strict ingress filtering on bastion hosts to block unauthorized XML-RPC requests from untrusted sources. 3. Monitor and log all XML-RPC requests and Unix socket interactions for anomalous activity indicative of exploitation attempts. 4. Employ host-based intrusion detection systems (HIDS) to detect unauthorized user account creation or privilege escalations. 5. If possible, disable or restrict the xmlrpc.sock handler until a vendor patch is available. 6. Conduct thorough audits of existing user accounts on bastion hosts to identify and remove unauthorized accounts. 7. Use multi-factor authentication (MFA) and strong access controls on bastion hosts to limit the impact of compromised accounts. 8. Engage with the vendor for timely patch releases and apply updates as soon as they become available. 9. Educate security teams about this specific threat to improve detection and response capabilities. 10. Consider deploying network-level application firewalls capable of inspecting and blocking malicious XML-RPC payloads.