Cyber Resilience

CVE-2025-34040

CriticalPublic PoC

Published: 24 June 2025

Published
24 June 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0968 93.1th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34040 is a critical-severity Path Traversal (CWE-22) vulnerability in Seeyon (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An arbitrary file upload vulnerability affects the Zhiyuan OA platform through the wpsAssistServlet interface. Improper validation of the realFileType and fileId parameters during multipart uploads permits path traversal, enabling the placement of crafted JSP files outside designated directories. The issue is tracked under CWE-22 and CWE-434 and carries a CVSS 4.0 score of 10.0.

Unauthenticated remote attackers can exploit the flaw to upload and execute arbitrary JSP payloads, resulting in remote code execution on the web server. Exploitation evidence was recorded by the Shadowserver Foundation on 2025-02-01 UTC.

Vendor advisories and patch repositories, including those referenced by Seeyon and CNVD, direct administrators to apply available security updates for the affected OA platform. Public exploit code has also been published on Exploit-DB.

The EPSS score rose from lower values to a peak of 0.1619 on 2026-05-31 before receding to the current 0.0968, indicating increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability exists in the Zhiyuan OA platform via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using…

more

path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-01 UTC.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Seeyon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References