CVE-2022-50973

Yonyou Network Technology Co. · KSOA

Yonyou KSOA 9.0 is vulnerable to unauthenticated arbitrary file uploads via the ImageUpload servlet, allowing remote attackers to execute arbitrary code by uploading malicious JSP files.

Executive summary

An unauthenticated remote code execution vulnerability in Yonyou KSOA 9.0 poses a critical risk to organizational systems due to confirmed active exploitation in the wild.

Vulnerability

The application fails to perform authentication or file validation within the com.sksoft.bill.ImageUpload servlet. Unauthenticated attackers can upload and execute arbitrary JSP webshells by manipulating filepath and filename parameters.

Business impact

With a CVSS score of 9.8, this vulnerability represents an extreme risk, enabling full system compromise. Successful exploitation grants attackers persistent access to the underlying server, potentially leading to total data exfiltration, lateral movement within the internal network, and severe reputational damage.

Remediation

Immediate Action: Update Yonyou KSOA to the latest patched version provided by the vendor immediately, as exploitation is confirmed to be occurring in the wild.

Proactive Monitoring: Inspect web server logs for suspicious POST requests directed at the ImageUpload servlet and search for unauthorized JSP files within the /pictures/ directory.

Compensating Controls: Deploy a Web Application Firewall (WAF) rule to block requests containing suspicious filename extensions or path traversal characters directed at the identified servlet.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the confirmed active exploitation and the high severity of this remote code execution vulnerability, administrators must prioritize this update above all other maintenance tasks. Failure to remediate could result in a complete compromise of the hosting server and surrounding network infrastructure.