CVE-2025-5029

The vulnerability exists in the fileUpload/deleteFileAction.jhtml endpoint of the Kingdee Cloud Galaxy Private Cloud BBC System, affecting versions up to the April 2025 patch. The filePath parameter is not properly sanitized, enabling path traversal attacks. An attacker can supply a crafted filePath to delete files outside the intended directory [1].

Exploitation is straightforward: an unauthenticated remote attacker sends a HTTP request to the vulnerable endpoint with a malicious filePath containing directory traversal sequences (e.g., ../). No special privileges or user interaction are required. The exploit has been publicly disclosed, increasing the risk of active attacks [1].

Successful exploitation allows the attacker to delete arbitrary files on the server, which could lead to denial of service, data loss, or further compromise if critical system files are removed. The impact is limited to file deletion; no direct code execution is described.

Kingdee has released a security patch to fix this vulnerability. Users of BBC System up to 9.0 Patch April 2025 are strongly advised to apply the update as recommended in the official advisory [2].