CVE-2025-5680 is a medium-severity deserialization vulnerability affecting Shenzhen Dashi Tongzhou Information Technology's AgileBPM product, versions 2.0 through 2.5.0. The flaw resides in the executeScript function within the SysScriptController.java file, specifically in the Groovy Script Handler component. This vulnerability arises from improper handling of the 'script' argument, which allows an attacker to manipulate input leading to unsafe deserialization of data. Deserialization vulnerabilities can enable remote attackers to execute arbitrary code or commands on the affected system without authentication or user interaction. The vulnerability is remotely exploitable over the network, with low attack complexity and no privileges required, but it has limited impact on confidentiality, integrity, and availability. Although the CVSS 4.0 base score is 5.3 (medium), the exploit has been publicly disclosed, increasing the risk of exploitation. No known exploits are currently observed in the wild. The vulnerability does not require user interaction, and the scope is limited to the AgileBPM application. The lack of available patches or mitigations from the vendor increases the urgency for organizations to implement compensating controls.

For European organizations using AgileBPM versions up to 2.5.0, this vulnerability poses a risk of remote code execution or unauthorized script execution within the BPM environment. This could lead to disruption of business process automation, unauthorized access to sensitive workflow data, or lateral movement within the network. Given AgileBPM's role in managing critical business workflows, exploitation could impact operational continuity and data integrity. However, the medium severity and limited scope reduce the likelihood of widespread catastrophic impact. Organizations in sectors relying heavily on BPM systems, such as finance, manufacturing, and public administration, may face increased operational risks. The absence of known active exploitation reduces immediate threat but the public disclosure of the exploit code raises the risk of opportunistic attacks, especially in environments lacking timely patching or mitigations.

European organizations should immediately inventory their AgileBPM deployments to identify affected versions (2.0 to 2.5.0). Until a vendor patch is available, organizations should implement strict network segmentation to limit access to the AgileBPM management interfaces, restricting them to trusted internal networks and VPNs. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious deserialization payloads targeting the executeScript endpoint. Monitor logs for unusual script execution requests or anomalies in the SysScriptController activity. Disable or restrict Groovy script execution capabilities if not essential for business processes. Apply the principle of least privilege to service accounts running AgileBPM to limit potential impact. Regularly update incident response plans to include detection and containment procedures for deserialization attacks. Engage with the vendor for timely patch releases and apply updates promptly once available.