CVE-2025-5877 is a security vulnerability identified in Fengoffice Feng Office version 3.2.2.1, specifically within the Document Upload Handler component, located in the file /application/models/ApplicationDataObject.class.php. The vulnerability is classified as an XML External Entity (XXE) reference issue. XXE vulnerabilities occur when an application parses XML input containing references to external entities, which can be exploited by attackers to read arbitrary files, perform server-side request forgery (SSRF), or cause denial of service (DoS) conditions. In this case, the vulnerability allows remote attackers to manipulate XML input to trigger external entity references without requiring user interaction or authentication, as indicated by the CVSS vector. The vulnerability has been publicly disclosed, and although no known exploits are currently reported in the wild, the public disclosure increases the risk of exploitation attempts. The vendor has not responded to the disclosure, and no patches or mitigations have been provided yet. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the vulnerability's moderate impact on confidentiality, integrity, and availability, with low complexity and no required privileges or user interaction. The vulnerability affects a widely used collaboration and project management platform, which may be deployed in various organizational environments.

For European organizations using Fengoffice Feng Office 3.2.2.1, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized disclosure of sensitive internal files or data through XXE attacks, potentially exposing confidential business information or user data. Additionally, attackers might leverage the vulnerability to perform SSRF attacks, which could be used to pivot within internal networks, access internal services, or disrupt availability. Given that Fengoffice is used for project management and collaboration, compromise could affect business continuity and data integrity. The lack of vendor response and absence of patches increases the window of exposure. Organizations in sectors with strict data protection regulations, such as GDPR in Europe, could face compliance risks and reputational damage if sensitive data is leaked. The medium severity indicates that while the vulnerability is not critical, it should be addressed promptly to prevent escalation or chaining with other vulnerabilities.

Since no official patch or vendor response is available, European organizations should implement immediate compensating controls. These include disabling XML external entity processing in the XML parsers used by Fengoffice, if configurable, to prevent XXE exploitation. Network-level controls such as restricting outbound HTTP/HTTPS traffic from the application server to prevent SSRF attempts can reduce risk. Employing web application firewalls (WAFs) with rules targeting XXE attack patterns can provide additional protection. Organizations should also monitor logs for suspicious XML payloads or unusual outbound requests. If feasible, upgrading to a newer, unaffected version of Fengoffice or migrating to alternative software should be considered. Regular security assessments and penetration testing focusing on XML handling can help identify residual risks. Finally, organizations should maintain strict access controls and segmentation to limit the impact of potential exploitation.