CVE-2026-1218 is an XML External Entity (XXE) vulnerability affecting Bjskzy Zhiyou ERP up to version 11.0. The flaw resides in the initRCForm function within the RichClientService.class file of the com.artery.richclient.RichClientService component. An attacker can remotely send crafted XML input that includes malicious external entity references. When processed, this can lead to disclosure of internal files, internal network scanning, or denial of service by exhausting resources. The vulnerability does not require authentication or user interaction, increasing its risk profile. The vendor was contacted but has not responded or released a patch, while exploit code is publicly available, raising the likelihood of exploitation attempts. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). This suggests attackers can gain some sensitive information or cause limited disruption but not full system compromise. The lack of vendor response and public exploit availability necessitates urgent defensive measures by affected organizations.

The primary impact of this XXE vulnerability is unauthorized disclosure of sensitive internal files or data, which can lead to information leakage and potential exposure of credentials or configuration files. Additionally, attackers may leverage the vulnerability to perform server-side request forgery (SSRF) or internal network reconnaissance, increasing the risk of lateral movement within the victim's environment. Resource exhaustion attacks could cause denial of service, impacting availability of the ERP system. Since the vulnerability is remotely exploitable without authentication or user interaction, it poses a significant risk to organizations relying on Bjskzy Zhiyou ERP 11.0 for critical business operations. Data confidentiality and system availability are the most affected security properties, potentially disrupting business processes and causing financial or reputational damage. The absence of a vendor patch and public exploit code further elevates the threat level.

1. Immediately disable external entity processing in all XML parsers used by the Zhiyou ERP system, if configurable. 2. Implement strict input validation and sanitization on all XML inputs to prevent malicious entity declarations. 3. Employ XML parsing libraries that are hardened against XXE attacks or use safer data formats where possible. 4. Segment the ERP system network to limit exposure and restrict outbound network access from the ERP server to prevent SSRF exploitation. 5. Monitor logs for suspicious XML payloads or unusual outbound connections indicative of exploitation attempts. 6. If possible, deploy web application firewalls (WAFs) with rules to detect and block XXE attack patterns. 7. Engage with the vendor for updates or patches and consider alternative ERP solutions if no remediation is forthcoming. 8. Conduct regular security assessments and penetration tests focusing on XML processing components. 9. Educate development and operations teams about secure XML handling practices to prevent similar vulnerabilities in the future.