OA - Path Traversal (CVE-2025-34040)

CVE-2025-34040 is a severe path traversal vulnerability in the Zhiyuan OA platform that allows unauthenticated attackers to upload arbitrary files, including malicious JSP scripts, outside of intended directories via the wpsAssistServlet interface. By exploiting improper validation of the realFileType and fileId parameters, attackers can achieve remote code execution on the affected server, potentially leading to full system compromise. This vulnerability poses a significant risk for organizations using vulnerable versions of the Zhiyuan OA platform.

CrowdSec has been tracking this vulnerability and its exploits since 16th of July 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-34040 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2025-34040 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2025-34040 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.

Attackers exploit the /seeyon/wpsAssistServlet endpoint by sending crafted POST requests with path traversal in the realFileType parameter, enabling arbitrary file upload and potential remote code execution on vulnerable Zhiyuan OA Platform instances.