CVE-2025-34040

CRITICAL EXPLOITED NUCLEI

Zhiyuan OA Web Application System - Unauthenticated Arbitrary File Upload and Remote Code Execution via wpsAssistServlet

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-34040 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Beatriz Fresno Naumova, jisi-001. A Nuclei detection template is also available.

AI-analyzed exploit summary The exploit demonstrates a path traversal vulnerability in Zhiyuan OA's `wpsAssistServlet` allowing unauthenticated arbitrary file upload. By manipulating the `realFileType` parameter, an attacker can place a JSP file in the webroot, leading to remote code execution.

Description

An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.

Exploits (2)

exploitdb WORKING POC
by Beatriz Fresno Naumova · textwebappsmultiple
https://www.exploit-db.com/exploits/52490

The exploit demonstrates a path traversal vulnerability in Zhiyuan OA's `wpsAssistServlet` allowing unauthenticated arbitrary file upload. By manipulating the `realFileType` parameter, an attacker can place a JSP file in the webroot, leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Zhiyuan OA (versions 5.0, 5.1–5.6sp1, 6.0–6.1sp2, 7.0–7.1sp1, 8.0–8.0sp2)
No auth needed
Prerequisites: Network access to the target server · Target running vulnerable Zhiyuan OA version
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC 2 stars
by jisi-001 · remote
https://github.com/jisi-001/CVE-2025-34040Exp

This repository contains a Python-based exploit for CVE-2025-34040, targeting a file upload vulnerability in ZhiYuan OA that leads to RCE. The PoC constructs a malicious multipart/form-data request to upload a JSP file to a predictable path, then verifies its presence via HTTP GET.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZhiYuan OA (specific version not specified)
No auth needed
Prerequisites: Network access to the target · Target running vulnerable ZhiYuan OA instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Zhiyuan OA Platform - Arbitrary File Upload
CRITICALVERIFIEDby iamnoooob,pdresearch
FOFA: body="seeyon/index.jsp"

References (5)

Core 5

Scores

CVSS v4 10.0
EPSS 0.1021
EPSS Percentile 95.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2025-06-23
CWE
CWE-22 CWE-434
Status published
Products (7)
Seeyon (Beijing Zhiyuan Internet Software Co., Ltd.)/Zhiyuan OA Web Application System 5.0
Seeyon (Beijing Zhiyuan Internet Software Co., Ltd.)/Zhiyuan OA Web Application System 5.1 - 5.6sp1
Seeyon (Beijing Zhiyuan Internet Software Co., Ltd.)/Zhiyuan OA Web Application System 6.0 - 6.1sp2
Seeyon (Beijing Zhiyuan Internet Software Co., Ltd.)/Zhiyuan OA Web Application System 7.0
Seeyon (Beijing Zhiyuan Internet Software Co., Ltd.)/Zhiyuan OA Web Application System 7.0sp1 - 7.1
Seeyon (Beijing Zhiyuan Internet Software Co., Ltd.)/Zhiyuan OA Web Application System 7.1sp1
Seeyon (Beijing Zhiyuan Internet Software Co., Ltd.)/Zhiyuan OA Web Application System 8.0 - 8.0sp2
Published Jun 24, 2025
Tracked Since Feb 18, 2026