Horizon Alert
Summary of the vulnerability and why it matters
This advisory details a critical vulnerability in Yonyou KSOA software that allows unauthenticated attackers to upload malicious files, leading to remote code execution. The issue stems from an unvalidated file upload function within the ImageUpload servlet, potentially exposing systems to unauthorized control.
- Unauthenticated file upload allows system takeover.
- Critical vulnerability in widely used business software.
- Confirm relevance and assess potential exposure.
Attack Path
How an attacker could exploit the issue
An attacker can exploit this vulnerability by sending a crafted POST request to the `com.sksoft.bill.ImageUpload` servlet. This request can include specially designed filepath and filename parameters, bypassing any necessary authentication or file validation. By uploading a malicious JSP webshell, the attacker can achieve remote code execution on the affected server.
- No authentication needed.
- Upload malicious file via POST request.
- Remote code execution.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow unauthenticated attackers to upload and execute arbitrary code on systems running Yonyou KSOA, when supported by the advisory. This could lead to a compromise of the affected server.
- System data and service behavior.
- Via unauthenticated file upload.
- Remote code execution.
Operational Fix
Recommended remediation, mitigation, and detection steps
Application owners and infrastructure teams are likely responsible for addressing this critical vulnerability. The first practical step is to identify all instances of the affected technology, confirm their network exposure and business criticality, and then locate the accountable owner to plan remediation.
- Verify deployed instances and exposure.
- Identify the accountable technology owner.
- Plan remediation based on risk.