CVE-2025-34039

Name of the Vulnerable Software and Affected Versions: Yonyou UFIDA NC versions 6.5 and prior

Description: A code injection issue exists due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls, allowing unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations.

Recommendations: For Yonyou UFIDA NC versions 6.5 and prior, consider disabling the bsh.servlet.BshServlet until a patch is available from Yonyou to prevent exploitation. Restrict access to the vulnerable servlet to minimize the risk of arbitrary code execution. Avoid using the bsh.script parameter in the affected API endpoint until the issue is resolved.