CVE-2025-34040 is a critical vulnerability in the Zhiyuan OA Web Application System, a widely used office automation platform developed by Beijing Zhiyuan Internet Software Co., Ltd. The flaw resides in the wpsAssistServlet interface, which handles multipart file uploads. Specifically, the parameters realFileType and fileId are not properly validated, allowing attackers to bypass intended file type restrictions and directory constraints. By leveraging path traversal techniques, an unauthenticated attacker can upload crafted JSP files outside the designated upload directories. These JSP files can then be accessed and executed remotely via the web server, resulting in remote code execution (RCE). The vulnerability affects multiple versions of the product, from 5.0 up to 8.0, indicating a broad attack surface. The CVSS 4.0 base score is 10.0, reflecting the vulnerability’s network attack vector, no required privileges or user interaction, and its high impact on confidentiality, integrity, and availability. Although no public exploit code or widespread exploitation has been reported, Shadowserver Foundation observed exploitation attempts as of February 2025, confirming active threat actor interest. The vulnerability is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-22 (Path Traversal), emphasizing the dual nature of the flaw involving both improper file validation and directory traversal. This combination makes the vulnerability particularly dangerous, as it allows attackers to place executable code in arbitrary locations on the server, bypassing typical upload restrictions and security controls.

For European organizations, the impact of CVE-2025-34040 is significant. Zhiyuan OA is used in various sectors including government, education, and enterprise environments, where sensitive data and critical workflows are managed. Successful exploitation leads to full remote code execution on affected servers, enabling attackers to execute arbitrary commands, deploy malware, steal confidential information, disrupt services, or establish persistent backdoors. This compromises the confidentiality, integrity, and availability of organizational data and systems. Given the unauthenticated nature of the exploit and the lack of required user interaction, attackers can rapidly compromise vulnerable systems remotely. The breach of internal office automation systems can lead to lateral movement within networks, escalating the threat to broader IT infrastructure. Additionally, regulatory compliance risks arise under GDPR due to potential data breaches. The criticality of this vulnerability demands urgent attention to prevent potential espionage, sabotage, or ransomware attacks targeting European entities using Zhiyuan OA.

1. Immediate network-level controls should be implemented to restrict access to the wpsAssistServlet interface, limiting it to trusted internal IP addresses or VPN users only. 2. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious multipart file uploads, especially those containing JSP or other executable code. 3. Enforce strict server-side validation of uploaded files, verifying MIME types, file extensions, and sanitizing file paths to prevent path traversal. 4. Monitor web server logs for unusual file upload activity or access to unexpected JSP files outside normal directories. 5. Isolate the Zhiyuan OA application environment using containerization or segmentation to limit the blast radius of potential exploitation. 6. Engage with the vendor for official patches or updates addressing this vulnerability and apply them promptly once available. 7. Conduct regular vulnerability scanning and penetration testing focused on file upload functionalities. 8. Educate IT and security teams about this specific threat to improve detection and response capabilities. 9. Implement application-level integrity checks to detect unauthorized file modifications or additions. 10. Prepare incident response plans tailored to web application compromise scenarios involving remote code execution.