CVE-2025-34040
Published: 24 June 2025
Summary
CVE-2025-34040 is a critical-severity Path Traversal (CWE-22) vulnerability in Seeyon (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An arbitrary file upload vulnerability affects the Zhiyuan OA platform through the wpsAssistServlet interface. Improper validation of the realFileType and fileId parameters during multipart uploads permits path traversal, enabling the placement of crafted JSP files outside designated directories. The issue is tracked under CWE-22 and CWE-434 and carries a CVSS 4.0 score of 10.0.
Unauthenticated remote attackers can exploit the flaw to upload and execute arbitrary JSP payloads, resulting in remote code execution on the web server. Exploitation evidence was recorded by the Shadowserver Foundation on 2025-02-01 UTC.
Vendor advisories and patch repositories, including those referenced by Seeyon and CNVD, direct administrators to apply available security updates for the affected OA platform. Public exploit code has also been published on Exploit-DB.
The EPSS score rose from lower values to a peak of 0.1619 on 2026-05-31 before receding to the current 0.0968, indicating increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19043
Vulnerability details
An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using…
more
path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Validates pathnames and filenames to prevent traversal outside intended directories.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.