CVE-2025-11139 is a path traversal vulnerability identified in the Bjskzy Zhiyou ERP software, specifically affecting version 11.0. The vulnerability resides in the uploadStudioFile function within the component com.artery.form.services.FormStudioUpdater. The flaw arises due to improper validation or sanitization of the 'filepath' argument, allowing an attacker to manipulate this parameter to traverse directories outside the intended file storage path. This can enable unauthorized access to files on the server's filesystem. The vulnerability is remotely exploitable without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS 4.0 base score is 5.3, categorized as medium severity. The vendor was notified but did not respond or provide a patch, and the exploit details have been publicly disclosed, increasing the risk of exploitation. Although no known exploits are currently reported in the wild, the public disclosure and lack of vendor response raise concerns about potential future attacks. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as unauthorized file access could lead to information disclosure or modification, and potentially disrupt ERP operations if critical files are altered or deleted. The ERP system is a critical business application, often containing sensitive operational data, making this vulnerability significant for organizations relying on this software.

For European organizations using Bjskzy Zhiyou ERP version 11.0, this vulnerability poses a tangible risk of unauthorized access to sensitive business data stored on the ERP server. Exploitation could lead to exposure of confidential information, including financial records, personnel data, or proprietary business processes. Additionally, attackers could modify or delete files, potentially disrupting business operations or corrupting data integrity. Given that ERP systems are central to enterprise resource planning, any compromise can have cascading effects on supply chain management, financial reporting, and compliance with regulations such as GDPR. The lack of vendor response and patch availability increases the urgency for European organizations to implement mitigations proactively. Although no widespread exploitation is reported yet, the public availability of exploit information means attackers could develop automated tools targeting vulnerable ERP instances, increasing the likelihood of attacks. Organizations in sectors with high regulatory scrutiny or critical infrastructure may face heightened risks due to the potential impact on data confidentiality and operational continuity.

1. Immediate mitigation should include restricting network access to the ERP system, limiting it to trusted internal networks or VPNs to reduce exposure to remote attackers. 2. Implement strict input validation and sanitization at the web application firewall (WAF) or reverse proxy level to detect and block suspicious path traversal patterns in the 'filepath' parameter. 3. Conduct thorough file system permission audits to ensure the ERP application runs with the least privilege necessary, preventing access to sensitive directories outside its scope. 4. Monitor logs for unusual file access patterns or errors related to file uploads that could indicate exploitation attempts. 5. If possible, isolate the ERP server in a segmented network zone to contain potential breaches. 6. Engage with the vendor or community to seek patches or updates; if unavailable, consider applying custom patches or workarounds to sanitize input within the application code. 7. Prepare incident response plans specifically addressing potential data breaches or service disruptions stemming from this vulnerability. 8. Regularly back up ERP data and configurations to enable recovery in case of data corruption or deletion.