CVE-2025-7108

Name of the Vulnerable Software and Affected Versions: risesoft-y9 Digital-Infrastructure versions prior to 9.6.8

Description: A critical issue affects the deleteFile function in the file /Digital-Infrastructure-9.6.7/y9-digitalbase-webapp/y9-module-filemanager/risenet-y9boot-webapp-filemanager/src/main/java/net/risesoft/y9public/controller/Y9FileController.java. The manipulation of the fullPath argument leads to path traversal. This issue can be exploited remotely. An exploit has been publicly disclosed and may be utilized. The vendor was contacted prior to this disclosure but did not respond.

Recommendations: For risesoft-y9 Digital-Infrastructure versions prior to 9.6.8, as a temporary workaround, consider disabling the deleteFile function in the Y9FileController.java file until a patch is available. Restrict access to the vulnerable filemanager module to minimize the risk of exploitation. Avoid using the fullPath argument in the affected function until the issue is resolved.