CVE-2025-8516
Description
A security vulnerability has been detected in Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2. This issue affects the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file K3Cloud\BBCMallSite\WEB-INF\lib\Kingdee.K3.O2O.Base.WebApp.jar!\kingdee\k3\o2o\base\webapp\action\FileUploadAction.class of the component IIS-K3CloudMiniApp. The manipulation of the argument filePath leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. It is suggested to install a patch to address this issue. The vendor recommends as a short-term measure to "[t]emporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control." The long-term remediation will be: "Install the security patch provided by the Starry Sky system, with the specific solutions being: i) Adding authentication to the vulnerable CMKAppWebHandler.ashx interface; ii) Removing the file reading function."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2 allows remote attackers to delete arbitrary files via the deleteFileAction function.
Vulnerability
A path traversal vulnerability has been identified in Kingdee Cloud-Starry-Sky Enterprise Edition up to version 8.2. The flaw resides in the FileUploadAction.class within the Kingdee.K3.O2O.Base.WebApp.jar file. Specifically, the deleteFileAction function of the BaseServiceFactory.getFileUploadService service does not properly sanitize the filePath parameter, allowing an attacker to traverse directories outside the intended scope [1].
Exploitation
This vulnerability can be exploited remotely without authentication, as the attack vector is over the network. The exploitation is straightforward and has been publicly disclosed, increasing the risk of active attacks. An attacker can send a crafted HTTP request to the vulnerable IIS-K3CloudMiniApp component, manipulating the filePath argument to target arbitrary files on the server [1].
Impact
Successful exploitation enables an attacker to delete arbitrary files on the affected system. This could lead to denial of service, data loss, or potential further compromise depending on the files removed. The vulnerability is classified as medium severity with a CVSS v3 score of 5.3.
Mitigation
Kingdee recommends temporarily disabling external network access to the Kingdee Cloud Galaxy Retail System or setting up an IP whitelist for access control as a short-term measure. For long-term remediation, users should install the official security patch provided by the Starry Sky system. The patch involves adding authentication to the vulnerable CMKAppWebHandler.ashx interface and removing the file reading function [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=8.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.