CVE-2025-13250 is a vulnerability identified in WeiYe-Jing's datax-web product, specifically affecting versions 2.1.0 through 2.1.2. The flaw resides in the Job Handler component, which manages job lifecycle functions such as remove, update, pause, start, and triggerJob. Due to improper access control mechanisms, attackers with limited privileges can remotely invoke these functions without proper authorization, leading to unauthorized manipulation of scheduled jobs. This can compromise the integrity and availability of job execution workflows, potentially disrupting automated processes or causing unintended job executions or cancellations. The vulnerability is exploitable remotely over the network without requiring user interaction or elevated privileges beyond limited access, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no exploits have been observed in the wild yet, the public availability of exploit information raises the likelihood of future exploitation. The absence of vendor patches at the time of disclosure necessitates immediate compensating controls to mitigate risk. This vulnerability is particularly concerning for environments relying heavily on datax-web for job scheduling and automation, where unauthorized job manipulation could lead to operational disruptions or data inconsistencies.

For European organizations, the improper access control vulnerability in datax-web could lead to unauthorized manipulation of critical job scheduling functions, impacting business continuity and operational integrity. Attackers could remotely pause, start, update, or remove jobs, potentially disrupting automated workflows, delaying critical data processing, or triggering unintended actions. This may result in data integrity issues, operational downtime, or cascading failures in dependent systems. Organizations in sectors such as finance, manufacturing, telecommunications, and public services that rely on automated job management are particularly vulnerable. The medium CVSS score reflects moderate risk, but the ease of remote exploitation without user interaction increases the threat level. Additionally, the public availability of exploit details may accelerate attack attempts, increasing the urgency for European entities to address this vulnerability promptly. Failure to mitigate could lead to reputational damage, regulatory scrutiny under GDPR if data processing is affected, and financial losses due to operational disruptions.

1. Apply official patches from WeiYe-Jing as soon as they become available to address the improper access control issue directly. 2. Until patches are released, restrict network access to the datax-web management interface using firewalls, VPNs, or network segmentation to limit exposure to trusted administrators only. 3. Implement strict role-based access controls (RBAC) within datax-web to ensure only authorized personnel can perform job management operations. 4. Enable detailed logging and monitoring of job handler activities to detect unauthorized attempts to manipulate jobs. 5. Conduct regular audits of job schedules and changes to identify suspicious or unauthorized modifications. 6. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous requests targeting job handler functions. 7. Educate system administrators about the vulnerability and the importance of promptly applying security updates and monitoring job management activities. 8. Consider deploying web application firewalls (WAF) with custom rules to block suspicious API calls related to job manipulation until patches are applied.