CVE-2025-6761
📋 TL;DR
This critical vulnerability in Kingdee Cloud-Starry-Sky Enterprise Edition allows remote attackers to execute arbitrary code through template injection in the Freemarker Engine. The flaw enables attackers to bypass security controls and potentially take full control of affected systems. All organizations running vulnerable versions of Kingdee's enterprise software are at risk.
💻 Affected Systems
- Kingdee Cloud-Starry-Sky Enterprise Edition
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, ransomware deployment, and lateral movement across the network.
Likely Case
Server compromise allowing data exfiltration, installation of backdoors, and disruption of business operations.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and least privilege access controls are implemented.
🎯 Exploit Status
Exploit details have been publicly disclosed, making weaponization highly probable. The vulnerability requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed release with Freemarker set to 'ALLOWS_NOTHING_RESOLVER'
Vendor Advisory: https://vip.kingdee.com/link/s/ZlWX7
Restart Required: Yes
Instructions:
1. Download the latest patched version from Kingdee's official portal. 2. Backup current installation and data. 3. Apply the patch following Kingdee's upgrade documentation. 4. Restart the application services. 5. Verify the fix is applied.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the vulnerable component using firewall rules
# Example iptables rule to restrict access
# iptables -A INPUT -p tcp --dport [application_port] -s [trusted_ips] -j ACCEPT
# iptables -A INPUT -p tcp --dport [application_port] -j DROP
WAF Rule Implementation
allDeploy web application firewall rules to block template injection attempts
# Example ModSecurity rule
# SecRule ARGS "@rx \$\{[^}]+\}" "id:1001,phase:2,deny,msg:'Freemarker template injection attempt'
🧯 If You Can't Patch
- Isolate affected systems in a segmented network zone with strict access controls
- Implement application-level monitoring and alerting for suspicious template engine activity
🔍 How to Verify
Check if Vulnerable:
Check if running Kingdee Cloud-Starry-Sky Enterprise Edition versions 6.x-9.0 and examine the Freemarker configuration for ALLOWS_NOTHING_RESOLVER setting.Check Version:
# Check Kingdee version via application interface or configuration files
# grep -r "version" /path/to/kingdee/installation/ | grep -i "6\|7\|8\|9.0"Verify Fix Applied:
Verify the Freemarker Engine configuration shows 'ALLOWS_NOTHING_RESOLVER' is enabled and test with known exploit payloads that should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual template processing errors
- Freemarker engine exceptions containing user input
- Multiple failed template parsing attempts from single IP
Network Indicators:
- HTTP requests containing ${...} patterns in parameters
- Unusual outbound connections from application server
SIEM Query:
source="kingdee_logs" AND ("Freemarker" OR "template" OR "${*") AND (error OR exception OR failed)