CVE-2025-10247
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-11

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in JEPaaS 7.2.8. This vulnerability affects the function doFilterInternal of the component Filter Handler. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-11
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10247
EUVD
EUVD-2025-27631
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jepaas jepaas 7.2.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10247 is an access control vulnerability in JEPaaS version 7.2.8, specifically in the doFilterInternal function of the Filter Handler component. Due to improper implementation of access controls in the SessionFilter component, attackers can bypass authentication and directly access protected interfaces without proper authorization. This happens because the access control check is performed after the asset has already been accessed, allowing unauthorized users to circumvent security controls remotely. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized remote attackers to bypass access controls and gain direct access to protected system interfaces. This can lead to unauthorized disclosure of confidential information, modification of data, and disruption of system availability. Since the vulnerability affects confidentiality, integrity, and availability, it poses a significant security risk to affected systems. [2]

Detection Guidance

This vulnerability can be detected by attempting to access the protected interfaces without proper authentication using the known proof-of-concept URL path `/error/.%2e;/je/rbac/rbac/queryUser`. Monitoring web server logs for requests containing this path or similar suspicious URL encodings may help identify exploitation attempts. Specific commands are not provided in the resources, but using tools like curl or wget to test the URL or inspecting logs with grep for the path could be effective. [1, 2]

Mitigation Strategies

Immediate mitigation steps include replacing the affected JEPaaS 7.2.8 product with an alternative solution, as no vendor patches or fixes are available. Additionally, restricting access to the vulnerable component via network controls, such as firewall rules or access control lists, may reduce exposure. Monitoring for exploitation attempts and applying strict access controls at the network perimeter are recommended. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart