Back to KEVs

CVE-2023-7325

Mingyu Operations and Maintenance Audit and Risk Control System xmlrpc.sock SSRF

Basic Information

CVE State
PUBLISHED
Reserved Date
October 30, 2025
Published Date
October 30, 2025
Last Updated
October 31, 2025
Vendor
Anheng Information (Hangzhou DBAPP Security Information Technology Co., Ltd.)
Product
Mingyu Operations and Maintenance Audit and Risk Control System
Description
Anheng Mingyu Operation and Maintenance Audit and Risk Control System up to 2023-08-10 contains a server-side request forgery (SSRF) vulnerability in the xmlrpc.sock handler. The product accepts specially crafted XML-RPC requests that can be used to instruct the server to connect to internal unix socket RPC endpoints and perform privileged XML-RPC methods. An attacker able to send such requests can invoke administrative RPC methods via the unix socket interface to create arbitrary user accounts on the system, resulting in account creation and potential takeover of the bastion host. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:17.837319 UTC.

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

SSVC Information

Exploitation
poc
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:43:10 UTC) Source

References

https://cn-sec.com/archives/1947658.html https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%AE%89%E6%81%92/%E5%AE%89%E6%81%92%20%E6%98%8E%E5%BE%A1%E8%BF%90%E7%BB%B4%E5%AE%A1%E8%AE%A1%E4%B8%8E%E9%A3%8E%E9%99%A9%E6%8E%A7%E5%88%B6%E7%B3%BB%E7%BB%9F%20xmlrpc.sock%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E6%B7%BB%E5%8A%A0%E6%BC%8F%E6%B4%9E.md https://www.vulncheck.com/advisories/mingyu-operations-and-maintenance-audit-and-risk-control-system-xmirpc-sock-ssrf

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:43:10 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel