CVE-2025-9602 is a medium-severity vulnerability affecting Xinhu RockOA versions 2.6.0 through 2.6.9. The vulnerability resides in the publicsaveAjax function within the /index.php file. It involves improper authorization controls, allowing an attacker to manipulate requests remotely without proper privilege checks. The vulnerability can be exploited over the network without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/PR:L/UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L/VI:L/VA:L), meaning the attacker can partially compromise these security properties. The exploit has been publicly disclosed, increasing the risk of exploitation, although no confirmed exploits in the wild have been reported yet. The vulnerability does not require complex attack conditions or specialized privileges beyond low-level privileges, making it relatively easier to exploit in environments where RockOA is deployed. RockOA is an office automation platform used primarily in enterprise environments for workflow and document management, so unauthorized access or manipulation could lead to data leakage, unauthorized data modification, or disruption of business processes.

For European organizations using Xinhu RockOA, this vulnerability poses a risk of unauthorized access and manipulation of sensitive business data and workflows. Given RockOA's role in managing internal communications and documents, exploitation could lead to leakage of confidential information, alteration of records, or disruption of operational processes. This could affect compliance with data protection regulations such as GDPR if personal or sensitive data is involved. The medium severity suggests that while the impact is not catastrophic, it could still cause significant operational and reputational damage, especially in sectors relying heavily on secure document management like finance, healthcare, and government. The fact that the exploit is publicly available increases the urgency for European organizations to address this vulnerability promptly to prevent opportunistic attacks.

European organizations should immediately identify and inventory all instances of Xinhu RockOA versions 2.6.0 through 2.6.9 in their environment. Since no official patches or updates are linked in the provided information, organizations should contact Xinhu for security updates or patches addressing this vulnerability. In the interim, implement strict network-level access controls to restrict access to RockOA interfaces, especially the /index.php endpoint, to trusted internal IP addresses only. Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous requests targeting the publicsaveAjax function. Conduct thorough logging and monitoring of RockOA access logs to detect suspicious activities indicative of exploitation attempts. Additionally, review and tighten user privilege assignments within RockOA to minimize the impact of potential unauthorized actions. Regularly back up critical data managed by RockOA to enable recovery in case of data integrity compromise. Finally, educate IT and security teams about this vulnerability and the importance of rapid response.