External risk intelligence

YonBIP ArcpUploadAction Arbitrary File Upload Leading to Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2023-51925

YonBIP is an enterprise business innovation platform typically deployed as a web-based application or service. File upload functionalities in such enterprise web platforms are commonly accessible to users or integrated systems via the internet, making the vulnerable endpoint likely to be exposed in standard deployment configurations.

Unrestricted File Upload

Yonyou Yonbip

3_23.05

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

An arbitrary file upload vulnerability exists in a YonBIP component, specifically within its task monitoring and action processing capabilities. This issue allows for the execution of arbitrary code through the upload of specially crafted files, posing a significant risk to the integrity and security of affected systems.

  • Uploads can let attackers run their own code.
  • Critical vulnerability impacts business platform integrity.
  • Confirm relevance; understand potential code execution.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by uploading a specially crafted file through a network-accessible interface. The vulnerability lies within the `ArcpUploadAction.doAction()` method, which, when triggered by the malicious file upload, can lead to the execution of arbitrary code on the system.

  • No authentication is required.
  • Upload a crafted file.
  • Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary code on the affected system by uploading a specially crafted file. This is possible due to an arbitrary file upload flaw in a specific method within the `nccloud.web.arcp.taskmonitor.action.ArcpUploadAction` component.

  • System data could be compromised.
  • Arbitrary code execution via file upload.
  • Unrestricted remote code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts YonBIP, a platform likely managed by application owners or a dedicated platform team. The immediate priority is to pinpoint all instances of the affected technology, assess their reachability and business criticality, and identify the accountable system owner. Remediation planning should then align with the identified risk levels and established maintenance procedures.

  • Application or platform teams should own the issue.
  • Verify external reachability and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is YonBIP?

YonBIP is an enterprise business innovation platform from Yonyou. Organizations use this software as a centralized web-based hub to manage complex business processes, workflows, and data tasks across their enterprise.

How does CVE-2023-51925 work?

This vulnerability is an Unrestricted Upload of File with Dangerous Type (CWE-434). It exists because the application's task monitor component fails to properly validate files uploaded through the ArcpUploadAction method, allowing attackers to place malicious scripts on the server and trigger them to run.

What triggers the vulnerability in YonBIP?

The flaw is triggered when an attacker sends a specially crafted file to the specific task monitoring endpoint. The process does not require the attacker to be authenticated, meaning they do not need a valid user account or login credentials to initiate the malicious upload.

Do I need to worry if my YonBIP instance is internal?

According to Halo Surface Signal, this vulnerability is most concerning for instances exposed to the internet, as the file upload endpoint is frequently reachable in standard web configurations. While internal systems may be at lower immediate risk from remote actors, any accessible upload point remains a potential path for code execution.

What should I do if I use YonBIP?

Begin by identifying all running instances of the affected YonBIP version and determining which teams are responsible for their maintenance. Assess the accessibility and business impact of these instances to prioritize your response, then coordinate with your platform owners to apply the necessary security updates or configuration changes provided by the vendor.

References