CVE-2025-51745 is a critical security vulnerability identified in jishenghua JSH_ERP version 2.3.1, specifically affecting the /role/addcan endpoint. The vulnerability arises from unsafe deserialization of data using the fastjson library, a common Java JSON parser known to be vulnerable to remote code execution (RCE) attacks when improperly configured. An attacker can send specially crafted JSON payloads to the endpoint, triggering the deserialization process to execute arbitrary code on the server without authentication or user interaction. This vulnerability is classified under CWE-502 (Deserialization of Untrusted Data), which is a well-known vector for severe attacks including full system compromise. The CVSS v3.1 base score of 9.8 reflects the vulnerability’s critical nature, with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact covers confidentiality, integrity, and availability, meaning attackers can steal sensitive data, modify system behavior, or disrupt services. Although no public exploits are currently reported, the high severity and common use of fastjson in Java applications make this vulnerability a prime target for attackers. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations. The vulnerability’s presence in an ERP system is particularly concerning as these platforms often manage critical business processes and sensitive data, amplifying potential damage from exploitation.

For European organizations, exploitation of CVE-2025-51745 could lead to complete compromise of affected ERP systems, resulting in unauthorized access to sensitive business data, manipulation of role assignments or permissions, and potential disruption of enterprise resource planning operations. This could cause significant operational downtime, financial loss, and reputational damage. Given the criticality of ERP systems in supply chain management, finance, and human resources, attackers could leverage this vulnerability to conduct espionage, sabotage, or ransomware deployment. The vulnerability’s network accessibility and lack of authentication requirements increase the risk of widespread exploitation, especially in organizations with exposed ERP endpoints. Additionally, regulatory compliance risks arise from potential data breaches involving personal or financial information, which are subject to GDPR and other European data protection laws. The absence of known exploits currently provides a window for proactive defense, but the high CVSS score indicates that once exploited, the impact would be severe and recovery complex.

European organizations using jishenghua JSH_ERP 2.3.1 should immediately restrict external access to the /role/addcan endpoint by implementing network-level controls such as firewalls or VPNs. Until an official patch is released, disabling or limiting fastjson deserialization functionality within the ERP application is recommended to prevent processing of untrusted JSON payloads. Application-layer input validation and strict allowlisting of JSON classes can reduce the attack surface. Monitoring network traffic and application logs for anomalous requests targeting the vulnerable endpoint can help detect exploitation attempts early. Organizations should engage with the vendor to obtain patches or updates addressing this vulnerability and plan rapid deployment once available. Conducting a thorough audit of ERP system configurations and access controls will help identify and mitigate other potential weaknesses. Finally, implementing endpoint detection and response (EDR) solutions can assist in identifying post-exploitation activities and contain breaches promptly.