CVE-2019-25714
published 2026-04-21CVE-2019-25714: Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write…
PriorityP187critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.65%
46.6th percentile
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seeyon_internet_software | a8+_collaborative_management_software | — | — |
| seeyon_internet_software | a8+_collaborative_management_software | — | — |
| seeyon_internet_software | a8+_collaborative_management_software | — | — |
| seeyon_internet_software | a8+_collaborative_management_software | — | — |
| seeyon_internet_software | a8+_collaborative_management_software | — | — |
| seeyon_internet_software | a8-v5_collaborative_management_software | — | — |
CVSS provenance
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8p56-4vpw-2jvc: Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to
ghsa_unreviewed·2026-04-21
CVE-2019-25714 [CRITICAL] CWE-434 GHSA-8p56-4vpw-2jvc: Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
VulDB
Seeyon A8-V5 Collaborative Management Software 6.1sp1 POST htmlofficeservlet unrestricted upload
vuldb·2026-04-21·CVSS 9.3
CVE-2019-25714 [CRITICAL] Seeyon A8-V5 Collaborative Management Software 6.1sp1 POST htmlofficeservlet unrestricted upload
A vulnerability marked as critical has been reported in Seeyon A8-V5 Collaborative Management Software and A8+ Collaborative Management Software 6.1sp1. This affects an unknown function of the file /seeyon/htmlofficeservlet of the component POST Handler. Performing a manipulation results in unrestricted upload.
This vulnerability is cataloged as CVE-2019-25714. It is possible to initiate the attack remotely. There is no exploit available.
VulnCheck
Unrestricted Upload of File with Dangerous Type
vulncheck·2019·CVSS 9.3
CVE-2019-25714 [CRITICAL] Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
Affected: A8-V5 Collaborative Management Software Seeyon Internet Software
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations ar
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://sourceforge.net/software/product/A8/https://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/90916/Security_Notification_reseller_en-US.pdfhttps://web.archive.org/web/20190821034711/http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/%E8%87%B4%E8%BF%9Coa/%E8%87%B4%E8%BF%9C%20OA%20A8%20htmlofficeservlet%20getshell%20%E6%BC%8F%E6%B4%9E/https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=31713https://www.fortiguard.com/encyclopedia/ips/48874/seeyon-office-anywhere-htmlofficeservlet-arbitrary-file-uploadhttps://www.vulncheck.com/advisories/seeyon-office-anywhere-oa-a8-unauthenticated-arbitrary-file-write-via-htmlofficeservlet
2026-04-21
Published
Exploited in the wild