CVE-2025-62795

HIGH EPSS 17.3%

Published Oct 30, 20258mo ago · Modified Jun 17, 20261w ago

7.1 CVSS 3.1

High

Published Oct 30, 2025 8mo ago

Last Modified Jun 17, 2026 1w ago

Description

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v3.10.21-lts and v4.10.12-lts, a low-privileged authenticated user can invoke LDAP configuration tests and start LDAP synchronization by sending crafted messages to the /ws/ldap/ WebSocket endpoint, bypassing authorization checks and potentially exposing LDAP credentials or causing unintended sync operations. This vulnerability is fixed in v3.10.21-lts and v4.10.12-lts.

CVSS Details

Base Score

7.1

Exploitability

2.8

Impact

4.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

17.3% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-863 Incorrect Authorization Authorization

Affected Products 2

Vendor	Product	Version	Range
fit2cloud	jumpserver	*	<3.10.21
fit2cloud	jumpserver	*	≥4.0.0 – <4.10.12

References 1

github.com https://github.com/jumpserver/jumpserver/security/advisories/GHSA-7893-256g-m822

ExploitVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.