CVE-2025-8516
📋 TL;DR
This CVE describes a path traversal vulnerability in Kingdee Cloud-Starry-Sky Enterprise Edition that allows attackers to delete arbitrary files by manipulating the filePath parameter. The vulnerability affects systems running Kingdee Cloud-Starry-Sky Enterprise Edition up to version 8.2. Attackers can exploit this remotely without authentication.
💻 Affected Systems
- Kingdee Cloud-Starry-Sky Enterprise Edition
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete critical system files, configuration files, or application data, potentially causing system unavailability, data loss, or service disruption.
Likely Case
Attackers would delete application files, configuration files, or user-uploaded content to disrupt business operations or deface the application.
If Mitigated
With proper network segmentation and access controls, the impact would be limited to the application's own files and directories.
🎯 Exploit Status
The exploit has been publicly disclosed and can be initiated remotely without authentication. Attackers need to craft malicious filePath parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 8.2 (specific patch version not specified)
Vendor Advisory: https://vip.kingdee.com/link/s/ZgAmJ
Restart Required: No
Instructions:
1. Download the security patch from Kingdee's official website. 2. Apply the patch according to vendor instructions. 3. Verify the patch has been successfully applied.
🔧 Temporary Workarounds
Network Access Restriction
allTemporarily disable external network access to the Kingdee Cloud Galaxy Retail System or implement IP whitelisting
Configure firewall rules to restrict access to the affected service
Interface Authentication
Windows/IISAdd authentication to the vulnerable CMKAppWebHandler.ashx interface
Configure authentication in IIS for the specific endpoint
🧯 If You Can't Patch
- Implement strict network segmentation and isolate the affected system from untrusted networks
- Deploy a web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Check if the system is running Kingdee Cloud-Starry-Sky Enterprise Edition version 8.2 or earlier and has the vulnerable FileUploadAction.class fileCheck Version:
Check the Kingdee system administration console or configuration files for version informationVerify Fix Applied:
Verify that the patch has been applied by checking the version number and that the vulnerable interface now requires authentication📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in application logs
- HTTP requests to CMKAppWebHandler.ashx with suspicious filePath parameters containing '../' sequences
Network Indicators:
- HTTP requests with path traversal sequences in filePath parameters
- Unusual DELETE or POST requests to the vulnerable endpoint
SIEM Query:
source="*kingdee*" AND (uri="*CMKAppWebHandler.ashx*" AND (filePath="*../*" OR filePath="*..\\*"))