CVE-2023-7305
CRITICAL EXPLOITEDSmartBI V8-V10 - Unrestricted File Upload
Title source: llmDescription
SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild.
References (4)
Core 4
Core References
Various Sources release-notes
patch
https://www.smartbi.com.cn/patchinfo
Various Sources vdb-entry
https://avd.aliyun.com/detail?id=AVD-2023-1673292
Various Sources technical-description
exploit
https://jeyiuwai.pages.dev/posts/1day-%E8%B7%9F%E8%B8%AAsmartbi-rmiservlet-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/smartbi-rmiservlet-unrestricted-file-upload-rce
Scores
CVSS v4
9.2
EPSS
0.0024
EPSS Percentile
47.2%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2025-10-14
CWE
CWE-434
Status
published
Products (3)
Guangzhou Smart Software Co., Ltd./SmartBI
V10 - July 2023 update
Guangzhou Smart Software Co., Ltd./SmartBI
V8 - July 2023 update
Guangzhou Smart Software Co., Ltd./SmartBI
V9 - July 2023 update
Published
Oct 15, 2025
Tracked Since
Feb 18, 2026