CVE-2025-8516 is a path traversal vulnerability identified in Kingdee Cloud-Starry-Sky Enterprise Edition versions 8.0, 8.1, and 8.2. The flaw exists in the BaseServiceFactory.getFileUploadService.deleteFileAction function within the FileUploadAction.class component of the IIS-K3CloudMiniApp module. Specifically, the vulnerability arises from improper validation of the 'filePath' argument, allowing an attacker to manipulate this parameter to traverse directories beyond the intended scope. This can enable unauthorized access to arbitrary files on the server's filesystem. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The vendor has acknowledged the issue and recommends short-term mitigations such as disabling external network access to the Kingdee Cloud Galaxy Retail System or implementing IP whitelisting to restrict access. Long-term remediation involves applying a security patch that adds authentication to the vulnerable CMKAppWebHandler.ashx interface and removes the file reading functionality that enables the traversal. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction needed, and limited impact confined to confidentiality (file content exposure). No known exploits are currently reported in the wild, but public disclosure increases the likelihood of exploitation attempts.

For European organizations using Kingdee Cloud-Starry-Sky Enterprise Edition, this vulnerability poses a significant risk of unauthorized file access, potentially exposing sensitive business data, configuration files, or credentials stored on the affected servers. Given that the vulnerability can be exploited remotely without authentication, attackers could leverage it to gain intelligence on internal systems or escalate attacks. The impact on confidentiality is notable, though integrity and availability are not directly affected. Organizations in retail or enterprise sectors relying on this software for cloud or on-premises deployments could face data breaches or compliance violations, especially under GDPR regulations that mandate protection of personal data. The exposure could also facilitate lateral movement within networks if attackers retrieve credentials or configuration details. The short-term mitigation of restricting external access may disrupt legitimate remote operations, impacting business continuity if not carefully managed.

Beyond the vendor's recommendations, European organizations should immediately audit network exposure of Kingdee Cloud-Starry-Sky Enterprise Edition instances, ensuring they are not accessible from untrusted external networks. Implement strict network segmentation and firewall rules to limit access to trusted IP addresses only. Conduct thorough logging and monitoring of file access requests to detect anomalous path traversal attempts. Employ Web Application Firewalls (WAFs) with custom rules to block suspicious path traversal patterns targeting the vulnerable endpoints. Prioritize patch management by scheduling the installation of the vendor's security update as soon as it becomes available, verifying that authentication is enforced on the CMKAppWebHandler.ashx interface and that file reading functions are disabled or secured. Additionally, perform a comprehensive review of file permissions on the server to minimize the impact of any unauthorized access. Finally, educate IT and security teams about this vulnerability to recognize potential exploitation indicators and respond promptly.