VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Apr 14, 2025· Updated Apr 15, 2026

CVE-2025-3562

CVE-2025-3562

Description

A vulnerability was found in Yonyou YonBIP MA2.7. It has been declared as problematic. Affected by this vulnerability is the function FileInputStream of the file /mobsm/common/userfile. The manipulation of the argument path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in Yonyou YonBIP MA2.7 allows remote attackers to read arbitrary files via the /mobsm/common/userfile endpoint.

Vulnerability

Details

The vulnerability resides in the /mobsm/common/userfile endpoint of Yonyou YonBIP MA2.7. The application uses the FileInputStream function to read files based on a user-supplied path parameter without proper validation. This allows an attacker to traverse directories and read arbitrary files on the server [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint with a path parameter containing directory traversal sequences (e.g., \..\..\). No authentication is required, and the attack can be launched remotely. A proof-of-concept (POC) request targeting the WEB-INF/web.xml file has been publicly disclosed [1].

Impact

Successful exploitation enables an attacker to read sensitive files from the server, such as configuration files, source code, or credentials. This could lead to further compromise of the application or underlying system.

Mitigation

The vendor was contacted but did not respond. As of the publication date, no official patch or workaround has been released. Organizations using YonBIP MA2.7 should consider restricting access to the vulnerable endpoint or applying virtual patching until a fix is available [1].

References
  1. 【原创】用友 YouBIP MA2.7 任意文件读取漏洞 | 墨雪飘影漏洞收集平台

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.