CVE-2025-1818 – This critical vulnerability in zj1983 zz softwa... (How to Fix)

Q: What is the severity of CVE-2025-1818?

CVE-2025-1818 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability in zj1983 zz software allows remote attackers to upload arbitrary files without restrictions via the ZfileAction.upload function. Attackers can potentially upload malicious files like webshells to gain unauthorized access or execute code. All systems running zj1983 zz up to version 2024-8 are affected.

📋 TL;DR

This critical vulnerability in zj1983 zz software allows remote attackers to upload arbitrary files without restrictions via the ZfileAction.upload function. Attackers can potentially upload malicious files like webshells to gain unauthorized access or execute code. All systems running zj1983 zz up to version 2024-8 are affected.

💻 Affected Systems

Products:

zj1983 zz

Versions: Up to 2024-8

Operating Systems: Any OS running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the file upload functionality in ZfileAction.upload specifically; all deployments with this feature enabled are vulnerable.

📦 What is this software?

Zz by Zframeworks

View all CVEs affecting Zz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Attackers upload webshells or malware to gain persistent access, modify data, or use the system as a foothold for further attacks.

🟢

If Mitigated

File uploads are blocked or properly validated, preventing malicious file execution while maintaining legitimate functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly disclosed, making it easy for attackers to weaponize. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor was contacted but did not respond. Consider workarounds or discontinuing use of affected software.

🔧 Temporary Workarounds

Disable File Upload Endpoint

all

Block or disable the vulnerable ZfileAction.upload endpoint to prevent exploitation.

Modify web.xml or application configuration to remove/disable the upload endpoint

Implement File Upload Validation

all

Add server-side validation for file types, extensions, and content to restrict uploads.

Implement file type checking, extension whitelisting, and content validation in the upload handler

🧯 If You Can't Patch

Implement network segmentation to isolate affected systems and restrict access to upload endpoints.
Deploy a web application firewall (WAF) with rules to block malicious file upload attempts.

🔍 How to Verify

Check if Vulnerable:

Check if the system is running zj1983 zz version 2024-8 or earlier and has the ZfileAction.upload endpoint accessible.

Check Version:

Check application version in configuration files or via application interface if available.

Verify Fix Applied:

Test file upload functionality with restricted file types; successful upload of malicious files indicates vulnerability.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to ZfileAction.upload endpoint
Uploads of executable files (e.g., .jsp, .war, .exe)
Multiple failed upload attempts

Network Indicators:

HTTP POST requests to upload endpoints with suspicious file names or content
Traffic spikes to upload URLs

SIEM Query:

source="web_logs" AND uri="/ZfileAction.upload" AND (file_extension IN ("jsp", "war", "exe") OR status_code=200)

📊 Metadata

CVE ID: CVE-2025-1818

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

EPSS Score: 0.16% exploit probability (37.1th percentile)

Published: March 2, 2025

Last Updated: May 26, 2025

🔗 References

https://vuldb.com/?ctiid.298091 Exploit,Permissions Required
https://vuldb.com/?id.298091 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.504304 Third Party Advisory,VDB Entry
https://www.yuque.com/u123456789-6sobi/cdgcbq/bg2g3eit41o4cpd4 Exploit,Third Party Advisory
https://www.yuque.com/u123456789-6sobi/cdgcbq/bg2g3eit41o4cpd4# Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1818, you might also want to check these: