CVE-2025-34039

EPSS 0.36%
Veröffentlicht 24.06.2025 01:07:05
Zuletzt bearbeitet 20.11.2025 22:15:56
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerYonyou Co., Ltd.

≫

Produkt UFIDA NC

Default Statusunaffected

Version <= 6.5

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.577

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	10	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://www.cnblogs.com/pursue-security/p/17685141.html

https://www.cnvd.org.cn/flaw/show/CNVD-2021-30167

https://vulncheck.com/advisories/yonyou-ufida-nc-beanshell-code-injection

https://nvd.nist.gov/vuln/detail/CVE-2025-34039

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34039

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34039

EUVD