CVE-2025-51742 is a critical remote code execution vulnerability identified in jishenghua JSH_ERP version 2.3.1, specifically in the /material/getMaterialEnableSerialNumberList API endpoint. The issue arises because the endpoint directly passes user-supplied search query parameters to Fastjson's parseObject() method without proper validation or sanitization. Fastjson is a popular Java library for JSON parsing and serialization, but it is known to be vulnerable to unsafe deserialization attacks if untrusted input is parsed. In this case, the vulnerability allows attackers to craft malicious JSON payloads that exploit Fastjson's deserialization mechanism to execute arbitrary code on the server. The attack vector involves JDBC payloads, which can be used to execute SQL commands or system-level commands, leading to full system compromise. The vulnerability requires no authentication (AV:N), has low attack complexity (AC:L), and does not require user interaction (UI:N), making it highly exploitable. The impact affects confidentiality, integrity, and availability (C:H/I:H/A:H), as attackers can execute arbitrary code, manipulate data, or disrupt services. Although no public exploits are reported yet, the critical CVSS score of 9.8 reflects the severity and urgency of addressing this flaw. The vulnerability is categorized under CWE-502 (Deserialization of Untrusted Data), a common and dangerous class of software flaws. No patches are currently listed, so organizations must implement mitigations promptly.

For European organizations, this vulnerability poses a severe risk, especially those using jishenghua JSH_ERP or similar ERP solutions that incorporate Fastjson for JSON parsing. Successful exploitation can lead to complete system takeover, data breaches involving sensitive business and customer information, disruption of critical business operations, and potential lateral movement within corporate networks. The ability to execute arbitrary code remotely without authentication means attackers can deploy ransomware, steal intellectual property, or sabotage supply chains. Given the ERP system's role in managing materials and serial numbers, attackers could manipulate inventory data, causing financial losses and operational chaos. The lack of known exploits currently provides a window for proactive defense, but the high severity demands immediate attention. European companies in manufacturing, logistics, and supply chain sectors using Chinese or third-party ERP products are particularly at risk. Additionally, regulatory compliance frameworks such as GDPR impose strict data protection requirements, and breaches stemming from this vulnerability could result in significant fines and reputational damage.

1. Immediate input validation and sanitization: Implement strict validation on the /material/getMaterialEnableSerialNumberList endpoint to reject or sanitize any suspicious or unexpected input before it reaches Fastjson's parseObject(). 2. Disable or replace Fastjson deserialization: Where possible, disable the use of Fastjson for deserializing untrusted input or replace it with safer JSON parsing libraries that do not support polymorphic deserialization. 3. Apply runtime protections: Use application-layer firewalls or runtime application self-protection (RASP) tools to detect and block malicious deserialization payloads targeting this endpoint. 4. Network segmentation and least privilege: Restrict network access to the ERP system and ensure that the application runs with minimal privileges to limit the impact of potential exploitation. 5. Monitor logs and alerts: Set up monitoring for unusual activity, such as unexpected JDBC calls or anomalous API requests to the vulnerable endpoint. 6. Vendor engagement: Engage with jishenghua or ERP vendors for patches or official mitigations and apply updates as soon as they become available. 7. Incident response readiness: Prepare incident response plans specific to deserialization attacks and RCE scenarios to enable rapid containment and recovery.