CVE-2025-13249 is a vulnerability identified in the Jiusi OA product, specifically affecting versions up to 20251102. The flaw exists in the OfficeServer component, within the /OfficeServer?isAjaxDownloadTemplate=false endpoint, where the FileData parameter is improperly handled, allowing an attacker to perform unrestricted file uploads. This vulnerability does not require user interaction and can be exploited remotely over the network. The lack of proper validation or sanitization of the uploaded file content or type enables attackers to upload malicious files, potentially leading to remote code execution, privilege escalation, or persistent backdoors on the affected system. The vulnerability requires low privileges (PR:L), meaning an attacker with limited access could exploit it without needing elevated rights. The CVSS 4.0 vector indicates no user interaction (UI:N), no scope change (S:U), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no exploits are currently known in the wild, the public disclosure increases the risk of exploitation by threat actors. Jiusi OA is an office automation platform widely used in some Chinese enterprises and government sectors, and its presence in Europe is less common but possible in organizations with Chinese business ties or subsidiaries. The vulnerability's exploitation could allow attackers to upload web shells or malware, compromising internal networks and sensitive data. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts by administrators.

For European organizations using Jiusi OA, this vulnerability poses a significant risk of unauthorized system compromise. Successful exploitation could lead to remote code execution, allowing attackers to execute arbitrary commands, deploy malware, or establish persistent access. This threatens the confidentiality, integrity, and availability of organizational data and systems. Given the medium CVSS score, the impact is moderate but could escalate if combined with other vulnerabilities or misconfigurations. Organizations in sectors such as government, manufacturing, or enterprises with Chinese partnerships may be particularly targeted. The ability to upload arbitrary files remotely without authentication increases the attack surface and potential for lateral movement within networks. Additionally, the absence of known exploits in the wild currently provides a window for proactive defense, but the public disclosure means attackers may develop exploits soon. Disruption of business operations, data breaches, and reputational damage are possible consequences if the vulnerability is exploited.

1. Immediately restrict access to the /OfficeServer?isAjaxDownloadTemplate=false endpoint through network segmentation or firewall rules to limit exposure. 2. Implement strict validation and sanitization of all uploaded files, including checking file types, sizes, and content signatures to prevent malicious uploads. 3. Enforce least privilege principles by limiting upload permissions to trusted users and roles only. 4. Monitor logs and network traffic for unusual upload activity or access patterns to detect potential exploitation attempts. 5. If possible, deploy web application firewalls (WAFs) with rules targeting suspicious file upload behaviors specific to Jiusi OA. 6. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 7. Conduct internal audits to identify all instances of Jiusi OA deployment within the organization to ensure comprehensive coverage of mitigation efforts. 8. Educate IT and security teams about this vulnerability and ensure incident response plans include scenarios involving file upload exploits. 9. Consider temporary disabling of the affected functionality if it is not critical to business operations until a patch is applied.