The vulnerability identified as CVE-2025-50857 affects ZenTaoPMS versions 18.11 through 21.6.beta. It is a directory traversal flaw located in the /module/ai/control.php file, which is part of the AI module of the software. This vulnerability allows an attacker to manipulate file paths during a file upload process, bypassing normal directory restrictions. By crafting a malicious file upload request, an attacker can place executable code in arbitrary locations on the server. This leads to arbitrary code execution, potentially allowing full system compromise, data theft, or further lateral movement within the network. The vulnerability does not currently have a CVSS score, and no public exploits have been reported yet. However, the nature of the vulnerability—code execution via file upload—makes it highly dangerous. ZenTaoPMS is a project management system commonly used in software development environments, making it a valuable target for attackers seeking to disrupt development operations or gain access to intellectual property. The vulnerability affects multiple versions over several years, indicating a broad attack surface. The lack of available patches or mitigations in the provided data suggests that organizations must monitor vendor advisories closely and apply updates promptly once released.

The impact of this vulnerability is significant for organizations using affected versions of ZenTaoPMS. Successful exploitation can lead to arbitrary code execution, which compromises the confidentiality, integrity, and availability of the affected system. Attackers could gain unauthorized access to sensitive project management data, intellectual property, and potentially pivot to other internal systems. This could result in data breaches, operational disruption, and reputational damage. Since ZenTaoPMS is often integrated into software development workflows, exploitation could also affect software supply chains, increasing the risk of introducing malicious code into production environments. The ease of exploitation via crafted file uploads without requiring user interaction or complex prerequisites increases the threat level. Organizations worldwide relying on ZenTaoPMS for project management are at risk, especially those in software development, IT services, and technology sectors.

Organizations should implement the following specific mitigations: 1) Immediately audit all ZenTaoPMS instances to identify affected versions (18.11 through 21.6.beta). 2) Monitor official ZenTaoPMS vendor channels for security patches addressing CVE-2025-50857 and apply them as soon as they become available. 3) Restrict file upload permissions and validate file types rigorously on the server side to prevent unauthorized file types or paths. 4) Employ web application firewalls (WAFs) with custom rules to detect and block directory traversal patterns and suspicious file upload attempts targeting /module/ai/control.php. 5) Limit network exposure of ZenTaoPMS interfaces to trusted internal networks or VPNs to reduce attack surface. 6) Conduct regular security assessments and penetration tests focusing on file upload functionalities. 7) Implement strict access controls and monitor logs for unusual file upload activities or errors related to the AI module. 8) Consider isolating the ZenTaoPMS application environment to contain potential compromises. These steps go beyond generic advice by focusing on the specific vulnerable component and attack vector.