CVE-2025-5029
MEDIUMKingdee Cloud Galaxy Private Cloud BBC System <9.0 Patch April 2025...
Title source: llmDescription
A vulnerability has been found in Kingdee Cloud Galaxy Private Cloud BBC System up to 9.0 Patch April 2025 and classified as critical. Affected by this vulnerability is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file fileUpload/deleteFileAction.jhtml of the component File Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.
References (6)
Core 6
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.309847
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.309847
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.570956
Various Sources exploit
https://wx.mail.qq.com/s?k=nFbp0U0gSX0QVechIO
Various Sources related
https://vip.kingdee.com/knowledge/708656434111770368
Various Sources patch
https://vip.kingdee.com/school/detail/713028702245944320?productLineId=1&lang=zh-CN
Scores
CVSS v3
5.4
EPSS
0.0042
EPSS Percentile
33.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
Kingdee/Cloud Galaxy Private Cloud BBC System
9.0 Patch April 2025
Published
May 21, 2025
Tracked Since
Feb 18, 2026