CVE-2025-8516

Name of the Vulnerable Software and Affected Versions Kingdee Cloud-Starry-Sky Enterprise Edition versions prior to 8.3

Description A security issue exists in Kingdee Cloud-Starry-Sky Enterprise Edition. The BaseServiceFactory.getFileUploadService.deleteFileAction function within the K3CloudBBCMallSiteWEB-INFlibKingdee.K3.O2O.Base.WebApp.jar!kingdeek3o2obasewebappactionFileUploadAction.class file of the IIS-K3CloudMiniApp component is affected. Manipulation of the filePath argument can lead to a path traversal condition. This issue can be exploited remotely. The exploit has been publicly disclosed and may be used.

Recommendations Install the security patch provided by the Starry Sky system, with the specific solutions being: i) Adding authentication to the vulnerable CMKAppWebHandler.ashx interface; ii) Removing the file reading function. As a short-term measure, temporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control.