External risk intelligence

Yonyou KSOA Arbitrary File Upload Leading to Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2022-50973

The vulnerability exists in a web-based servlet designed for file uploads, which is a common feature of web applications. Because this endpoint is reachable via the network without authentication and is part of a web application platform frequently deployed as a public-facing service, it is likely to be exposed to the internet in common deployments.

Unrestricted File Upload

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Yonyou KSOA software that allows unauthenticated attackers to upload malicious files, leading to remote code execution. The issue stems from an unvalidated file upload function within the ImageUpload servlet, potentially exposing systems to unauthorized control.

  • Unauthenticated file upload allows system takeover.
  • Critical vulnerability in widely used business software.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a crafted POST request to the `com.sksoft.bill.ImageUpload` servlet. This request can include specially designed filepath and filename parameters, bypassing any necessary authentication or file validation. By uploading a malicious JSP webshell, the attacker can achieve remote code execution on the affected server.

  • No authentication needed.
  • Upload malicious file via POST request.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to upload and execute arbitrary code on systems running Yonyou KSOA, when supported by the advisory. This could lead to a compromise of the affected server.

  • System data and service behavior.
  • Via unauthenticated file upload.
  • Remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this critical vulnerability. The first practical step is to identify all instances of the affected technology, confirm their network exposure and business criticality, and then locate the accountable owner to plan remediation.

  • Verify deployed instances and exposure.
  • Identify the accountable technology owner.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Yonyou KSOA?

Yonyou KSOA is an enterprise-grade software platform primarily used for business management and office automation. It provides centralized tools for administrative operations and organizational workflows, typically acting as a core system for storing and processing sensitive business information within an organization's internal infrastructure.

What is the vulnerability in CVE-2022-50973?

This vulnerability is an Unrestricted Upload of File with Dangerous Type, classified as CWE-434. In simple terms, the software’s image processing component fails to check if an uploaded file is actually an image. Because it lacks these security guardrails, an attacker can upload an executable script—like a JSP webshell—instead of a standard photo, allowing them to gain control over the server.

How does an attacker trigger this bug?

An attacker triggers this flaw by sending a specific HTTP POST request to the application's ImageUpload servlet. The request does not require any prior login or valid user credentials. It is important to note that the vulnerability is triggered by the application's failure to validate the filename or file content; it is not triggered by standard, legitimate usage of the system's intended image upload features.

Why is this CVE relevant to my network?

According to Halo Surface Signal, this vulnerability is highly relevant because the vulnerable servlet is part of a web application frequently exposed directly to the internet. If your Yonyou KSOA instance is reachable from the public web, it is significantly more likely to be targeted, as the vulnerability requires no authentication to reach the affected endpoint.

Do I need to take action if I use Yonyou KSOA?

Yes. You should start by creating an inventory of all systems in your environment running this software. Once identified, verify which instances are accessible via the network and coordinate with your internal technical teams to determine ownership. Following this identification, you must prioritize this threat to ensure appropriate remediation steps are planned and executed to secure the vulnerable components.

References