A critical vulnerability has been identified in ZKEACMS, assigned CVE-2025-52239 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to upload a malicious file, which can then be executed to gain complete control over the affected server. Successful exploitation could lead to total system compromise, data theft, and significant disruption to business operations.

The vulnerability is an arbitrary file upload, which stems from insufficient validation of user-supplied files. An attacker can bypass security checks to upload a file with a dangerous extension (e.g., .aspx, .php, .jsp) disguised as a benign file type like an image. Once the malicious file is on the server, the attacker can navigate to its URL, causing the server to execute the embedded code and establish a remote shell, granting the attacker full administrative control.

This vulnerability is rated as Critical with a CVSS score of 9.8. A successful exploit would have a severe business impact, including the complete compromise of the web server. This could lead to the theft of sensitive data such as customer information, financial records, and intellectual property. An attacker could also deface the website, disrupt services, install ransomware, or use the compromised server as a pivot point to attack other systems within the corporate network.

Immediate Action: Immediately apply the security patches provided by the vendor to update all instances of ZKEACMS to the latest version. After patching, it is crucial to monitor for any signs of ongoing exploitation attempts and thoroughly review historical access logs for indicators of compromise that may have occurred prior to patching.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for unusual file upload events, especially files with executable extensions (.aspx, .jsp, etc.) being written to web-accessible directories. Look for subsequent GET requests to these uploaded files.
• File Integrity Monitoring (FIM): Implement FIM on web directories to detect the creation of new, unauthorized files.
• Network Traffic: Monitor for suspicious outbound connections from the web server, which could indicate a reverse shell or data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to block malicious file uploads and known exploit patterns.
• Disable file upload functionality if it is not essential for business operations.
• Configure the web server to prevent script execution in directories where files are uploaded.
• Ensure the application runs with the lowest possible user privileges to limit the impact of a potential compromise.

Public Exploit Available: False (as of the date of this report)

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that immediate action be taken. The potential for complete system compromise presents an unacceptable risk to the organization. All vulnerable ZKEACMS instances must be patched immediately. Furthermore, organizations should assume potential compromise and initiate threat hunting procedures to search for any evidence of malicious activity. Although not yet on the CISA KEV list, its high impact makes it a prime target for opportunistic and sophisticated threat actors.