CVE-2025-27095

MEDIUM

JumpServer <4.8.0, 3.10.18 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-27095. PoCs published by manus-use.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2025-32433, targeting Erlang/OTP SSH. The PoC demonstrates a pre-authentication RCE by sending crafted SSH packets to execute arbitrary commands on the server.

Description

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to 4.8.0 and 3.10.18, an attacker with a low-privileged account can access the Kubernetes session feature and manipulate the kubeconfig file to redirect API requests to an external server controlled by the attacker. This allows the attacker to intercept and capture the Kubernetes cluster token. This can potentially allow unauthorized access to the cluster and compromise its security. This vulnerability is fixed in 4.8.0 and 3.10.18.

Exploits (1)

github WORKING POC
by manus-use · postscriptpoc
https://github.com/manus-use/cve-pocs/tree/main/koko-CVE-2025-27095

The repository contains functional exploit code for CVE-2025-32433, targeting Erlang/OTP SSH. The PoC demonstrates a pre-authentication RCE by sending crafted SSH packets to execute arbitrary commands on the server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Erlang/OTP SSH (OTP-22.3.4.17)
No auth needed
Prerequisites: Network access to the target SSH port · Vulnerable Erlang/OTP version
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 4.3
EPSS 0.0042
EPSS Percentile 62.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-266
Status published
Products (1)
fit2cloud/jumpserver < 3.10.18
Published Mar 31, 2025
Tracked Since Feb 18, 2026