cbcvebase.
CVE-2025-34040
published 2025-06-24

CVE-2025-34040: An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are…

PriorityP192critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
14.38%
96.2th percentile
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.

Affected

7 ranges
VendorProductVersion rangeFixed in
seeyonzhiyuan_oa_web_application_system
seeyonzhiyuan_oa_web_application_system
seeyonzhiyuan_oa_web_application_system
seeyonzhiyuan_oa_web_application_system5.1 – 5.6sp1
seeyonzhiyuan_oa_web_application_system6.0 – 6.1sp2
seeyonzhiyuan_oa_web_application_system7.0sp1 – 7.1
seeyonzhiyuan_oa_web_application_system8.0 – 8.0sp2

Detection & IOCsextracted from sources · hover to see the quote

url/seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2
path/seeyon/wpsAssistServlet
path/seeyon/index.jsp
otherofficeTransResultFlag
  • Detect exploitation attempts by monitoring POST requests to /seeyon/wpsAssistServlet with the 'flag=save' parameter and a 'realFileType' value containing path traversal sequences (e.g., '../../../../').
  • The attack uses a multipart/form-data upload with a benign-looking filename (e.g., '123.xls') while the actual malicious JSP file path is smuggled via the 'realFileType' parameter — inspect multipart uploads where realFileType and the uploaded filename extension differ.
  • A successful upload response contains both 'officeTransResultFlag' and '"success":true' in the response body — alert on these strings appearing together in responses to wpsAssistServlet requests.
  • The uploaded JSP webshell is placed under /ApacheJetspeed/webapps/ROOT/ and accessed directly via GET request to the web root — monitor for newly created .jsp files in that directory and unexpected GET requests to random-named .jsp files at the root path.
  • Exploitation of this CVE was observed in the wild by the Shadowserver Foundation starting 2025-02-01 UTC — treat any wpsAssistServlet path-traversal upload attempts as active exploitation.
  • Fingerprint vulnerable Zhiyuan OA instances by searching for 'seeyon/index.jsp' in HTTP response bodies (FOFA query used by researchers).
  • ·The vulnerability is unauthenticated — no session token or credentials are required to exploit the wpsAssistServlet endpoint, meaning perimeter authentication controls alone are insufficient.
  • ·Affected versions span a wide range (5.0, 5.1–5.6sp1, 6.0–6.1sp2, 7.0, 7.0sp1–7.1, 7.1sp1, 8.0–8.0sp2); detection rules should not be scoped to a single version.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.