CVE-2025-34040
published 2025-06-24CVE-2025-34040: An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are…
PriorityP192critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
14.38%
96.2th percentile
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seeyon | zhiyuan_oa_web_application_system | — | — |
| seeyon | zhiyuan_oa_web_application_system | — | — |
| seeyon | zhiyuan_oa_web_application_system | — | — |
| seeyon | zhiyuan_oa_web_application_system | 5.1 – 5.6sp1 | — |
| seeyon | zhiyuan_oa_web_application_system | 6.0 – 6.1sp2 | — |
| seeyon | zhiyuan_oa_web_application_system | 7.0sp1 – 7.1 | — |
| seeyon | zhiyuan_oa_web_application_system | 8.0 – 8.0sp2 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2↗
- →Detect exploitation attempts by monitoring POST requests to /seeyon/wpsAssistServlet with the 'flag=save' parameter and a 'realFileType' value containing path traversal sequences (e.g., '../../../../'). ↗
- →The attack uses a multipart/form-data upload with a benign-looking filename (e.g., '123.xls') while the actual malicious JSP file path is smuggled via the 'realFileType' parameter — inspect multipart uploads where realFileType and the uploaded filename extension differ. ↗
- →A successful upload response contains both 'officeTransResultFlag' and '"success":true' in the response body — alert on these strings appearing together in responses to wpsAssistServlet requests. ↗
- →The uploaded JSP webshell is placed under /ApacheJetspeed/webapps/ROOT/ and accessed directly via GET request to the web root — monitor for newly created .jsp files in that directory and unexpected GET requests to random-named .jsp files at the root path. ↗
- →Exploitation of this CVE was observed in the wild by the Shadowserver Foundation starting 2025-02-01 UTC — treat any wpsAssistServlet path-traversal upload attempts as active exploitation. ↗
- →Fingerprint vulnerable Zhiyuan OA instances by searching for 'seeyon/index.jsp' in HTTP response bodies (FOFA query used by researchers). ↗
- ·The vulnerability is unauthenticated — no session token or credentials are required to exploit the wpsAssistServlet endpoint, meaning perimeter authentication controls alone are insufficient. ↗
- ·Affected versions span a wide range (5.0, 5.1–5.6sp1, 6.0–6.1sp2, 7.0, 7.0sp1–7.1, 7.1sp1, 8.0–8.0sp2); detection rules should not be scoped to a single version. ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mxx7-67f4-p53j: An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5
ghsa_unreviewed·2025-06-26
CVE-2025-34040 [CRITICAL] CWE-22 GHSA-mxx7-67f4-p53j: An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
VulnCheck
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 10.0
CVE-2025-34040 [CRITICAL] Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.
Affected: Zhiyuan OA Platform
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable
No detection rules found.
Nuclei
Zhiyuan OA Platform - Arbitrary File Upload
nuclei·CVSS 10.0
CVE-2025-34040 [CRITICAL] Zhiyuan OA Platform - Arbitrary File Upload
Zhiyuan OA Platform - Arbitrary File Upload
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
Template:
id: CVE-2025-34040
info:
name: Zhiyuan OA Platform - Arbitrary File Upload
author: iamnoooob,pdresearch
severity: critical
description: |
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0,
https://service.seeyon.com/patchtools/tp.html#/patchList?type=%E5%AE%89%E5%85%A8%E8%A1%A5%E4%B8%81&id=1https://vulncheck.com/advisories/zhiyuan-oa-system-path-traversal-file-uploadhttps://www.cnblogs.com/pursue-security/p/17677130.htmlhttps://www.cnvd.org.cn/flaw/show/CNVD-2021-01627https://www.exploit-db.com/exploits/52490
2025-06-24
Published
Exploited in the wild