关键漏洞信息 标题 Mingyu Operations and Maintenance Audit and Risk Control System xmlrpc.sock SSRF 等级 Critical 发布日期 October 30, 2025 影响范围 Mingyu Operation and Maintenance Audit and Risk Control System up to 2023-08-10 Affected versions are undefined CVE编号 CVE-2023-7325 CWE类型 CWE-306: Missing Authentication for Critical Function CWE-918: Server-Side Request Forgery (SSRF) CVSS评分 9.3 CVSS V4向量 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N 参考链接 CN-SEC Disclosure (1947658)) PeiQi GitHub Disclosure 报告者 Anonymous User via CN-SEC 漏洞描述 Anheng Mingyu Operation and Maintenance Audit and Risk Control System up to 2023-08-10 contains a server-side request forgery (SSRF) vulnerability in the xmlrpc.sock handler. The product accepts specially crafted XML-RPC requests that can be used to instruct the server to connect to internal unix socket RPC endpoints and perform privileged XML-RPC methods. An attacker able to send such requests can invoke administrative RPC methods via the unix socket interface to create arbitrary user accounts on the system, resulting in account creation and potential takeover of the bastion host. VulnCheck has observed this vulnerability being exploited in the wild as of 2025-10-30 at 00:30:17.837319 UTC.