CVE-2023-7325 CRITICAL

CVE-2023-7325: Mingyu Operations and Maintenance Audit and Risk Control System xmlrpc.sock SSRF

Vendor Anheng Information (Hangzhou Dbapp Security Information Technology Co., Ltd.)
Product Mingyu Operations and Maintenance Audit and Risk Control System
Weakness CWE-306 · Missing auth
Published October 30, 2025
Last update October 31, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Anheng Mingyu Operation and Maintenance Audit and Risk Control System up to 2023-08-10 contains a server-side request forgery (SSRF) vulnerability in the xmlrpc.sock handler. The product accepts specially crafted XML-RPC requests that can be used to instruct the server to connect to internal unix socket RPC endpoints and perform privileged XML-RPC methods. An attacker able to send such requests can invoke administrative RPC methods via the unix socket interface to create arbitrary user accounts on the system, resulting in account creation and potential takeover of the bastion host. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:17.837319 UTC.

Key dates

02Disclosure timeline

October 30, 2025 CVE published
October 31, 2025 Record updated