CVE-2025-8775

Summary

A vulnerability was found in Qiyuesuo Eelectronic Signature Platform up to 4.34 and classified as critical. Affected by this issue is the function execute of the file /api/code/upload of the component Scheduled Task Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
QiyuesuoEelectronic Signature Platform4.0affected
QiyuesuoEelectronic Signature Platform4.1affected
QiyuesuoEelectronic Signature Platform4.2affected
QiyuesuoEelectronic Signature Platform4.3affected
QiyuesuoEelectronic Signature Platform4.4affected
QiyuesuoEelectronic Signature Platform4.5affected
QiyuesuoEelectronic Signature Platform4.6affected
QiyuesuoEelectronic Signature Platform4.7affected
QiyuesuoEelectronic Signature Platform4.8affected
QiyuesuoEelectronic Signature Platform4.9affected
QiyuesuoEelectronic Signature Platform4.10affected
QiyuesuoEelectronic Signature Platform4.11affected
QiyuesuoEelectronic Signature Platform4.12affected
QiyuesuoEelectronic Signature Platform4.13affected
QiyuesuoEelectronic Signature Platform4.14affected
QiyuesuoEelectronic Signature Platform4.15affected
QiyuesuoEelectronic Signature Platform4.16affected
QiyuesuoEelectronic Signature Platform4.17affected
QiyuesuoEelectronic Signature Platform4.18affected
QiyuesuoEelectronic Signature Platform4.19affected
QiyuesuoEelectronic Signature Platform4.20affected
QiyuesuoEelectronic Signature Platform4.21affected
QiyuesuoEelectronic Signature Platform4.22affected
QiyuesuoEelectronic Signature Platform4.23affected
QiyuesuoEelectronic Signature Platform4.24affected
QiyuesuoEelectronic Signature Platform4.25affected
QiyuesuoEelectronic Signature Platform4.26affected
QiyuesuoEelectronic Signature Platform4.27affected
QiyuesuoEelectronic Signature Platform4.28affected
QiyuesuoEelectronic Signature Platform4.29affected
QiyuesuoEelectronic Signature Platform4.30affected
QiyuesuoEelectronic Signature Platform4.31affected
QiyuesuoEelectronic Signature Platform4.32affected
QiyuesuoEelectronic Signature Platform4.33affected
QiyuesuoEelectronic Signature Platform4.34affected

Weaknesses

  • CWE-434: Unrestricted Upload
  • CWE-284: Improper Access Controls

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References