CVE-2023-7305
published 2025-10-15CVE-2023-7305: SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage…
PriorityP180critical9.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.48%
38.1th percentile
SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| guangzhou_smart_software_co_ltd | smartbi | >= V10 < July 2023 update | July 2023 update |
| guangzhou_smart_software_co_ltd | smartbi | >= V8 < July 2023 update | July 2023 update |
| guangzhou_smart_software_co_ltd | smartbi | >= V9 < July 2023 update | July 2023 update |
CVSS provenance
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-75gf-3x5v-8fcm: SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic
ghsa_unreviewed·2025-10-15
CVE-2023-7305 [CRITICAL] CWE-434 GHSA-75gf-3x5v-8fcm: SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic
SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being targeted by the Rondo botnet.
VulnCheck
Unrestricted Upload of File with Dangerous Type
vulncheck·2023·CVSS 9.2
CVE-2023-7305 [CRITICAL] Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type
SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild.
Affected: SmartBI V8/V9/V10
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/cverecord?id=CVE-2023-7305; https://www.vulncheck.com/advisories/sma
No detection rules found.
No public exploits indexed.
https://avd.aliyun.com/detail?id=AVD-2023-1673292https://jeyiuwai.pages.dev/posts/1day-%E8%B7%9F%E8%B8%AAsmartbi-rmiservlet-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/https://www.smartbi.com.cn/patchinfohttps://www.vulncheck.com/advisories/smartbi-rmiservlet-unrestricted-file-upload-rce
2025-10-15
Published
Exploited in the wild