Zhiyuan OA - Critical Arbitrary File Upload Vulnerability

What Happened

A serious vulnerability has been discovered in Zhiyuan OA, specifically related to its file upload functionality. This flaw allows an unauthenticated actor to exploit the system through arbitrary file uploads. The vulnerability is identified as CVE-2025-34040 and is due to improper validation in the multipart file upload handling of the wpsAssistServlet.

The Flaw

The vulnerability arises from a path traversal issue, where the realFileType and fileId parameters can be manipulated. This allows attackers to upload files outside the intended directories. By controlling these parameters, an attacker can potentially upload a JSP file that, if executed, can lead to remote code execution.

What's at Risk

If exploited, this vulnerability can result in:

• Remote code execution on the server, allowing attackers to run arbitrary commands.
• Complete server compromise, which could lead to access to internal networks.
• Data exfiltration and further lateral movement within the network.

Affected Versions

The vulnerability affects multiple versions of Zhiyuan OA, including:

• 5.0, 5.1–5.6sp1
• 6.0–6.1sp2
• 7.0–7.1sp1
• 8.0–8.0sp2

Patch Status

As of now, the vendor has released patches to address this vulnerability. Users are encouraged to check the vendor's patch notice and apply updates promptly to mitigate risks.

Immediate Actions

To protect your systems:

• Update to the latest version of Zhiyuan OA as soon as possible.
• Review your server configurations to ensure that file uploads are properly validated.
• Monitor for any suspicious file uploads or activities on your server.

Conclusion

The discovery of this vulnerability underscores the importance of robust input validation in web applications. Organizations using Zhiyuan OA must act swiftly to secure their systems against potential exploitation.