CVE-2022-50973
Deferred Deferred - Pending Action

Unauthenticated Arbitrary File Upload in Yonyou KSOA

Vulnerability report for CVE-2022-50973, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a POST request with attacker-controlled filepath and filename parameters without any authentication, file type, extension, or content validation. Attackers can upload a JSP webshell by specifying a malicious filename and root filepath, with the uploaded file stored under the pictures directory and directly executed by the web server, resulting in unauthenticated remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-11-07 (UTC).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yonyou ksoa 9.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2022-50973 is an unauthenticated arbitrary file upload vulnerability in Yonyou KSOA 9.0, specifically in the com.sksoft.bill.ImageUpload servlet.

This flaw allows attackers to send a specially crafted HTTP POST request with attacker-controlled filepath and filename parameters without any authentication or validation of file type, extension, or content.

By exploiting this, attackers can upload a malicious JSP webshell file to the server, which is stored under the pictures directory and can be executed directly by the web server.

This results in unauthenticated remote code execution, allowing attackers to gain control over the affected system.

Impact Analysis

This vulnerability can have severe impacts including complete system compromise.

Attackers can upload and execute malicious webshells without authentication, enabling them to run arbitrary code on the server.

This can lead to unauthorized access, data theft, system manipulation, and potentially full control over the affected server.

The vulnerability is classified as critical with a high CVSS score (9.3 to 9.8), indicating a high risk to affected systems.

Detection Guidance

This vulnerability can be detected by sending specially crafted HTTP POST requests to the /servlet/com.sksoft.bill.ImageUpload endpoint, attempting to upload a JSP webshell by specifying malicious filename and filepath parameters.

One practical approach is to use vulnerability scanning tools such as Nuclei, which has integrated a specific PoC script for CVE-2022-50973 to perform batch detection.

Additionally, a FOFA search query (app="用友-ζ—Άη©ΊKSOA") can help identify exposed instances of the vulnerable software on the network.

  • Use Nuclei with the CVE-2022-50973 PoC script to scan target systems.
  • Send a POST request to /servlet/com.sksoft.bill.ImageUpload with parameters like filename=shell.jsp and a malicious payload to test if the upload is successful.
  • Example curl command to test upload (replace URL and payload accordingly): curl -X POST "http://target/servlet/com.sksoft.bill.ImageUpload" -F "filepath=/" -F "filename=shell.jsp" -F "[email protected]"
  • After upload, verify if the file is accessible and executable by accessing http://target/pictures/shell.jsp.
Mitigation Strategies

Immediate mitigation steps include applying available patches or updates from the vendor to fix the vulnerability.

If patches are not immediately available, implement multi-layered defense measures to restrict file uploads and execution.

  • Enforce strict validation on both frontend and backend for uploaded files, including file type, extension, and MIME type checks.
  • Use a whitelist approach for allowed file extensions rather than blacklisting.
  • Rename uploaded files to prevent execution of malicious filenames.
  • Limit file size and restrict upload directories with proper permissions.
  • Consider using static storage services (e.g., OSS) to isolate uploaded files from the web server execution environment.
  • Reduce the exposure of the vulnerable service to the internet or untrusted networks.
  • Monitor and block suspicious POST requests targeting /servlet/com.sksoft.bill.ImageUpload.
Compliance Impact

The vulnerability allows unauthenticated attackers to upload arbitrary files, including malicious JSP webshells, leading to remote code execution and potential full system compromise.

Such a security flaw can severely impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data security, access control, and protection against unauthorized system access.

Exploitation of this vulnerability could lead to unauthorized access to sensitive personal or health data, violating confidentiality and integrity requirements mandated by these regulations.

Organizations using the affected software without proper mitigation may face non-compliance issues, increased risk of data breaches, and potential legal and financial penalties.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50973. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart