CVE-2025-10092 is a security vulnerability identified in Jinher OA versions up to 1.2, specifically affecting an XML Handler component within the file /c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx/?Type=add. The vulnerability is an XML External Entity (XXE) reference flaw, which allows an attacker to manipulate XML input to reference external entities. This can lead to unauthorized disclosure of internal files, server-side request forgery (SSRF), or denial of service (DoS) conditions. The vulnerability is remotely exploitable without requiring authentication or user interaction, making it particularly dangerous. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently in the wild, public exploit code is available, increasing the risk of exploitation. The vulnerability arises from improper handling of XML input, allowing external entity references to be processed, which can be leveraged by attackers to access sensitive data or disrupt service operations. Given that Jinher OA is an office automation platform, exploitation could compromise internal business workflows and sensitive organizational data.

For European organizations using Jinher OA versions 1.0 through 1.2, this vulnerability poses a significant risk to confidentiality, integrity, and availability of internal systems. The ability to remotely exploit the flaw without authentication means attackers can potentially access sensitive internal files, execute SSRF attacks to pivot within internal networks, or cause service disruptions. This could lead to data breaches involving personal data protected under GDPR, operational downtime, and loss of trust. Since Jinher OA is used for office automation, the impact could extend to critical business processes, including project management and task tracking, potentially affecting productivity and compliance. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, are particularly at risk. The medium severity rating suggests that while the vulnerability is serious, exploitation may require some technical skill or specific conditions, but the lack of required privileges or user interaction lowers the barrier for attackers.

European organizations should immediately assess their use of Jinher OA and identify if affected versions (1.0, 1.1, 1.2) are in deployment. In the absence of an official patch (none currently linked), organizations should implement the following mitigations: 1) Disable or restrict XML external entity processing in the XML parsers used by Jinher OA, if configurable; 2) Employ web application firewalls (WAFs) with rules to detect and block XXE attack patterns targeting the vulnerable endpoint (/c6/Jhsoft.Web.projectmanage/TaskManage/AddTask.aspx); 3) Restrict network egress from the application server to prevent SSRF exploitation; 4) Monitor logs for unusual XML payloads or access patterns to the vulnerable endpoint; 5) Isolate Jinher OA servers within segmented network zones to limit lateral movement; 6) Engage with Jinher vendor support for updates or patches and plan for timely application once available; 7) Conduct security testing and code review of XML handling components to identify and remediate similar issues; 8) Educate development and security teams about XXE risks and secure XML processing best practices.