CVE-2025-8516 is a path traversal vulnerability identified in Kingdee Cloud-Starry-Sky Enterprise Edition up to version 8.2, specifically within the BaseServiceFactory.getFileUploadService.deleteFileAction function of the IIS-K3CloudMiniApp component. The vulnerability arises from improper validation of the filePath parameter, which an attacker can manipulate to traverse directories and access files outside the intended directory scope. This flaw exists in the FileUploadAction.class file inside the Kingdee.K3.O2O.Base.WebApp.jar library. Exploitation is possible remotely without requiring authentication or user interaction, making it a significant risk. The vulnerability could allow attackers to read sensitive files on the server, potentially exposing confidential information or configuration files, which could facilitate further attacks. The vendor has publicly disclosed the issue and recommends immediate mitigation by disabling external network access or implementing IP whitelisting to restrict access to the Kingdee Cloud Galaxy Retail System. The long-term fix involves installing a security patch that adds authentication to the vulnerable CMKAppWebHandler.ashx interface and removes the file reading functionality to eliminate the attack vector. The CVSS 4.0 base score of 6.9 reflects a medium severity level, considering the network attack vector, lack of required privileges, and the potential confidentiality impact. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts.

For European organizations using Kingdee Cloud-Starry-Sky Enterprise Edition, this vulnerability poses a risk of unauthorized file access, potentially exposing sensitive corporate data, intellectual property, or credentials stored on the affected servers. Such exposure could lead to further compromise, including lateral movement within networks or data exfiltration. Retail and enterprise sectors relying on Kingdee's software for cloud-based operations may face operational disruptions or reputational damage if exploited. The ability to exploit remotely without authentication increases the threat level, especially for organizations with externally accessible deployments. Data protection regulations such as GDPR heighten the consequences of data breaches resulting from this vulnerability, potentially leading to regulatory penalties and loss of customer trust. The medium severity rating suggests a moderate but actionable risk, emphasizing the need for timely remediation to prevent escalation or chaining with other vulnerabilities.

European organizations should immediately implement the vendor's short-term recommendations by disabling external network access to the Kingdee Cloud Galaxy Retail System or configuring strict IP whitelisting to limit access only to trusted internal or partner networks. Network segmentation should be enforced to isolate the affected systems from the broader enterprise environment. Monitoring and logging access to the vulnerable service should be enhanced to detect suspicious activity indicative of exploitation attempts. Organizations should prioritize applying the official security patch from Kingdee as soon as it becomes available, which includes adding authentication to the CMKAppWebHandler.ashx interface and removing the file reading functionality that enables path traversal. Additionally, conduct a thorough audit of affected systems to identify any signs of compromise. Implementing web application firewalls (WAFs) with custom rules to block path traversal patterns targeting the vulnerable endpoints can provide an additional protective layer. Finally, ensure regular backups of critical data and verify restoration procedures to mitigate potential damage from exploitation.