Critical Path‑Traversal File Upload in Zhiyuan OA (CVE‑2025‑34040) Enables Remote Code Execution

Critical Path‑Traversal File Upload in Zhiyuan OA (CVE‑2025‑34040) Enables Remote Code Execution

What Happened – A path‑traversal flaw in Zhiyuan OA’s wpsAssistServlet allows an unauthenticated actor to upload a crafted file (e.g., a JSP) outside the intended directory. The malicious file can be written to the webroot and executed, granting remote code execution and full server compromise.

Why It Matters for TPRM –

• The vulnerability can be weaponised by threat actors to pivot into internal networks of any organisation that relies on Zhiyuan OA.
• Exploitation leads to data exfiltration, persistence mechanisms, and potential ransomware deployment.
• Many public‑sector and enterprise customers use Zhiyuan OA, expanding the attack surface across multiple industries.

Who Is Affected – Enterprises, government agencies, and professional services that deploy Zhiyuan OA (versions 5.0‑8.0 sp2) on‑premise or via hosted environments.

Recommended Actions –

• Apply the vendor’s security patch immediately (see vendor patch page).
• Block or restrict access to /seeyon/wpsAssistServlet from untrusted networks.
• Deploy Web Application Firewall (WAF) rules to detect and block ../ traversal payloads.
• Conduct a forensic review of existing OA servers for unknown JSP files or other artefacts.

Technical Notes – The flaw resides in multipart file‑upload handling; the realFileType and fileId parameters are not properly validated, permitting .. sequences that traverse directories. Successful exploitation results in remote code execution (RCE) via a uploaded JSP. CVE‑2025‑34040 (NVD pending). Source: Exploit‑DB 52490