CVE-2025-34040
BaseFortify
Publication date: 2025-06-24
Last updated on: 2026-04-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34040 is an arbitrary file upload vulnerability in the Zhiyuan OA platform affecting multiple versions. It occurs due to improper validation of the realFileType and fileId parameters in the wpsAssistServlet interface during multipart file uploads. This flaw allows unauthenticated attackers to perform path traversal and upload crafted JSP files outside intended directories. Once uploaded, these files can be accessed and executed on the web server, enabling remote code execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the affected server. Attackers can upload malicious JSP files that run arbitrary code, potentially leading to full system compromise. The attack requires no privileges or user interaction and can be performed remotely, affecting confidentiality, integrity, availability, and security controls of the system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the /seeyon/wpsAssistServlet endpoint with parameters like realFileType containing path traversal sequences (e.g., ../) and fileId. For example, you can use network traffic inspection tools or web server logs to identify such requests. A specific command example to detect attempted exploitation via curl could be: curl -v -X POST "http://<target>/seeyon/wpsAssistServlet?flag=save&realFileType=../../../../ApacheJetspeed/webapps/ROOT/debugg.jsp&fileId=2" -F "[email protected]" Additionally, searching web server access logs for requests to unusual JSP files uploaded outside normal directories (e.g., /debugg.jsp) can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the wpsAssistServlet interface, applying vendor patches or updates that fix the improper validation of realFileType and fileId parameters, and implementing strict input validation to prevent path traversal in file uploads. Additionally, monitoring and blocking suspicious upload attempts and removing any unauthorized uploaded JSP files can reduce risk. If patches are not yet available, consider disabling the file upload functionality or restricting it to authenticated and trusted users only. [1, 2]