CVE-2025-10816 is a security vulnerability identified in Jinher OA version 2.0, specifically within the XML Handler component located at the endpoint /c6/Jhsoft.Web.module/ToolBar/GetWordFileName.aspx/?text=GetUrl&style=add. The flaw is an XML External Entity (XXE) reference vulnerability, which occurs when an XML parser processes external entity references within XML input without proper validation or sanitization. This allows an attacker to manipulate XML input to cause the parser to access unauthorized files or network resources, potentially leading to information disclosure, server-side request forgery (SSRF), or denial of service (DoS). The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The CVSS v4.0 score is 6.9, indicating a medium severity level, with the vector highlighting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no public exploit is currently known to be actively used in the wild, the existence of a public exploit increases the likelihood of exploitation attempts. The vulnerability affects only Jinher OA 2.0, a specific enterprise office automation product, which may be deployed in organizational environments for workflow and document management. The lack of available patches or mitigations at the time of publication necessitates immediate attention from users of this software to prevent exploitation.

For European organizations using Jinher OA 2.0, this vulnerability poses a risk of unauthorized data exposure and potential disruption of business processes. Exploitation could allow attackers to read sensitive configuration files or internal documents, leading to confidentiality breaches. Additionally, attackers might leverage the XXE flaw to perform SSRF attacks, potentially pivoting into internal networks or causing denial of service conditions by exhausting server resources. Given that Jinher OA is an enterprise tool, compromised systems could impact multiple departments, affecting operational continuity. The medium severity rating suggests that while the impact is not critical, it is significant enough to warrant prompt remediation to avoid data leaks or service interruptions. European organizations with compliance obligations under GDPR must be particularly cautious, as data breaches resulting from this vulnerability could lead to regulatory penalties and reputational damage.

Organizations should immediately assess their use of Jinher OA 2.0 and restrict external network access to the affected endpoint where possible. Network-level controls such as web application firewalls (WAFs) can be configured to detect and block XML payloads containing external entity references. Input validation should be enforced to reject XML inputs with DOCTYPE declarations or external entities. If feasible, disabling external entity processing in the XML parser configuration is a critical mitigation step. Monitoring logs for unusual XML requests or errors related to XML parsing can help detect exploitation attempts. Since no official patch is currently available, organizations should engage with Jinher for updates and consider temporary compensating controls such as isolating the OA system from sensitive internal networks. Regular backups and incident response plans should be reviewed to prepare for potential exploitation scenarios.