CVE-2025-6761 is a vulnerability identified in Kingdee Cloud-Starry-Sky Enterprise Edition versions 6.x through 9.0. The issue resides in the function plugin.buildMobilePopHtml within the file \k3\o2o\bos\webapp\action\DynamicForm 4 Action.class, specifically in the Freemarker template engine component. The vulnerability is caused by improper neutralization of special elements used in the template engine, which can allow an attacker to inject malicious template directives or expressions. This improper sanitization can lead to remote code execution or unauthorized data access, as the template engine may process attacker-controlled input in an unsafe manner. The vulnerability is exploitable remotely without requiring authentication or user interaction, increasing its risk profile. The vendor’s fix involves configuring Freemarker to use the 'ALLOWS_NOTHING_RESOLVER' setting, which disables parsing of any classes, effectively preventing malicious template expressions from being evaluated. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with attack vector network, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but public disclosure of the exploit code exists, raising the urgency for patching. This vulnerability affects a critical component of Kingdee’s enterprise cloud software, which is widely used for business management and ERP solutions, making it a significant risk for organizations relying on this platform.

For European organizations using Kingdee Cloud-Starry-Sky Enterprise Edition, this vulnerability poses a risk of remote exploitation leading to unauthorized code execution or data leakage within their enterprise resource planning (ERP) systems. Given that ERP systems often contain sensitive financial, operational, and personal data, exploitation could result in significant confidentiality breaches, operational disruption, and potential compliance violations under GDPR. The ability to exploit this vulnerability without authentication or user interaction increases the likelihood of automated attacks or exploitation by remote threat actors. This could lead to data integrity issues, unauthorized access to business-critical functions, and potential service outages. The medium severity rating suggests that while the impact is serious, it may not result in full system compromise or widespread availability loss. However, the strategic importance of ERP systems in European enterprises means that even medium-severity vulnerabilities can have outsized operational and reputational consequences. Organizations in sectors such as manufacturing, finance, and logistics, which commonly deploy Kingdee solutions, are particularly at risk.

European organizations should prioritize upgrading Kingdee Cloud-Starry-Sky Enterprise Edition to the vendor’s fixed release where Freemarker is configured with 'ALLOWS_NOTHING_RESOLVER' to prevent unsafe template parsing. Until patches are applied, organizations should implement strict input validation and sanitization on all user-supplied data that interacts with the template engine. Network-level controls such as web application firewalls (WAFs) should be configured to detect and block suspicious template injection patterns. Monitoring and logging of template engine usage and anomalous requests can help detect exploitation attempts early. Additionally, organizations should restrict network access to the affected services to trusted internal networks or VPNs to reduce exposure. Conducting regular security audits and code reviews focusing on template usage can prevent similar vulnerabilities. Finally, organizations should maintain an incident response plan tailored to ERP system compromises to quickly contain and remediate any exploitation.