CVE-2025-6761
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-791 | The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-6761 is a critical vulnerability in Kingdee Cloud-Starry-Sky Enterprise Edition (versions 6.x to 9.0) affecting the Freemarker Engine component, specifically the function plugin.buildMobilePopHtml. It arises from improper neutralization of special elements in the template engine, allowing attackers to inject and execute arbitrary code remotely without authentication. This happens because the template engine processes externally influenced input without adequate sanitization, leading to potential remote code execution on the server. [1, 2]
How can this vulnerability impact me? :
This vulnerability can severely impact confidentiality, integrity, and availability of your system. An attacker can remotely execute arbitrary code on the affected server, gaining control over it. This can lead to unauthorized access to sensitive data, system compromise, and further penetration into the internal network, posing significant security risks. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the affected Kingdee Cloud-Starry-Sky Enterprise Edition versions (6.x, 7.x, 8.x, 9.0) are running and if the vulnerable Freemarker template engine component is in use, specifically the function plugin.buildMobilePopHtml in the file \k3\o2o\bos\webapp\action\DynamicForm 4 Action.class. Network detection can include monitoring for exploit attempts that send malicious template expressions remotely without authentication. Since a public proof-of-concept exploit exists, IDS/IPS signatures or scanning tools targeting this vulnerability may be used. However, no specific commands are provided in the resources. As a general approach, you can check for the presence of the vulnerable software version and inspect logs for suspicious template injection attempts. For example, commands to check installed versions or running services might include: - On the server, check installed Kingdee version: `rpm -qa | grep kingdee` or `dpkg -l | grep kingdee` - Search for the vulnerable class file: `find / -name "DynamicForm 4 Action.class"` - Monitor logs for suspicious requests: `grep -i "plugin.buildMobilePopHtml" /var/log/tomcat/access.log` - Use network monitoring tools to detect exploit attempts targeting the Freemarker engine. Note: Specific detection commands or signatures are not detailed in the provided resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the affected Kingdee Cloud-Starry-Sky Enterprise Edition to the fixed release available from the vendor at vip.kingdee.com, where the Freemarker engine is configured to use the ALLOWS_NOTHING_RESOLVER setting to prevent parsing of any classes. Additionally, configure the Freemarker engine by setting `configuration.setNewBuiltinClassResolver` to either SAFER_RESOLVER or ALLOWS_NOTHING_RESOLVER to restrict class loading. Avoid template splicing that accepts user input directly. Ensure that dangerous built-in function APIs remain disabled by not enabling `configuration.setAPIBuiltinEnabled(true)`. These steps reduce the risk of remote arbitrary code execution by restricting the template engine's ability to process malicious input. [1, 2]