CVE-2025-11035 is a medium-severity XML External Entity (XXE) vulnerability identified in Jinher OA version 2.0, specifically within an unknown function in the file /c6/Jhsoft.Web.module/ToolBar/ManageWord.aspx/?text=GetUrl&style=1. The vulnerability arises from improper handling of XML input, allowing an attacker to manipulate XML external entity references. This flaw can be exploited remotely without requiring user interaction or elevated privileges, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:N). The vulnerability impacts confidentiality, integrity, and availability to a limited extent (VC:L/VI:L/VA:L), suggesting partial data disclosure or modification and potential service disruption. The vulnerability has been publicly disclosed but no known exploits are currently observed in the wild. The root cause is the unsafe processing of XML data that allows external entity references, which can lead to sensitive file disclosure, server-side request forgery (SSRF), or denial of service (DoS) attacks depending on the attacker’s payload. The affected product, Jinher OA, is an office automation system used for enterprise resource planning and workflow management, implying that exploitation could expose sensitive organizational data or disrupt business processes. The lack of available patches or mitigation links indicates that organizations must proactively implement defensive measures until an official fix is released.

For European organizations using Jinher OA 2.0, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized disclosure of sensitive internal documents or configuration files, potentially exposing confidential business information or user credentials. Additionally, attackers might leverage the vulnerability to perform SSRF attacks, pivoting into internal networks or accessing restricted resources. The partial impact on integrity and availability could disrupt workflow automation, causing operational delays or data inconsistencies. Given the remote exploitability without user interaction, attackers could automate attacks at scale, increasing risk exposure. Organizations in regulated sectors such as finance, healthcare, or government may face compliance issues if sensitive data is leaked. The absence of known active exploitation reduces immediate risk but does not eliminate the threat, especially as exploit code may become available following public disclosure.

European organizations should immediately audit their Jinher OA 2.0 deployments to identify vulnerable instances. Until an official patch is available, it is critical to implement network-level protections such as web application firewalls (WAFs) configured to detect and block XML external entity payloads and suspicious XML content. Disabling XML external entity processing in the application’s XML parsers, if configurable, is a strong mitigation step. Restricting outbound network connectivity from the Jinher OA server can limit SSRF impact. Monitoring application logs for unusual XML parsing errors or unexpected external entity requests can provide early detection. Organizations should also segment the Jinher OA servers from sensitive internal networks to reduce lateral movement risk. Finally, maintain close communication with the vendor for patch releases and apply updates promptly once available.