CVE-2025-11139 Overview
A path traversal vulnerability has been identified in Bjskzy Zhiyou ERP up to version 11.0. The vulnerability exists within the uploadStudioFile function of the com.artery.form.services.FormStudioUpdater component. By manipulating the filepath argument, an authenticated remote attacker can traverse directory paths to access or modify files outside the intended directory structure. The exploit has been publicly disclosed and may be utilized by threat actors. The vendor was contacted early about this disclosure but did not respond in any way.
Critical Impact
Remote attackers with low privileges can exploit this path traversal vulnerability to potentially read sensitive files, overwrite critical system files, or upload malicious content to arbitrary locations on the affected ERP system.
Affected Products
- Zhiyou-group Zhiyou ERP versions up to 11.0
- Component: com.artery.form.services.FormStudioUpdater
- Function: uploadStudioFile
Discovery Timeline
- 2025-09-29 - CVE CVE-2025-11139 published to NVD
- 2025-10-03 - Last updated in NVD database
Technical Details for CVE-2025-11139
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw resides in the uploadStudioFile function within the FormStudioUpdater service component of Zhiyou ERP.
The vulnerability allows authenticated attackers to manipulate the filepath parameter to break out of the intended directory structure. By injecting directory traversal sequences (such as ../), an attacker can navigate to parent directories and potentially access, modify, or overwrite files anywhere on the system where the application has permissions.
This type of vulnerability is particularly dangerous in ERP systems as they often contain sensitive business data, financial records, and may have elevated system privileges for database operations.
Root Cause
The root cause of this vulnerability is insufficient validation and sanitization of the filepath argument in the uploadStudioFile function. The application fails to properly validate user-supplied input before using it to construct file paths, allowing directory traversal sequences to be included in the path. Without proper canonicalization or path validation, attackers can escape the intended upload directory.
Attack Vector
The attack vector is network-based, meaning the vulnerability can be exploited remotely. An attacker with low-level authenticated access to the Zhiyou ERP system can craft malicious requests to the FormStudioUpdater component containing path traversal sequences in the filepath parameter.
The attack flow typically involves:
- Authenticating to the Zhiyou ERP application with valid credentials
- Crafting a request to the uploadStudioFile function
- Manipulating the filepath parameter to include traversal sequences like ../../
- Accessing or writing files outside the designated upload directory
For technical details and proof of concept information, see the GitHub Resource Documentation and VulDB entry #326216.
Detection Methods for CVE-2025-11139
Indicators of Compromise
- Web server logs containing requests to FormStudioUpdater endpoints with directory traversal patterns (e.g., ../, ..%2f, ..%5c)
- Unexpected file creation or modification outside of standard ERP upload directories
- Access logs showing repeated requests to the uploadStudioFile function with unusual filepath parameters
- Presence of unexpected files in system directories that match upload timestamps
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal sequences in the filepath parameter
- Monitor application logs for requests to com.artery.form.services.FormStudioUpdater containing suspicious path patterns
- Deploy file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications
- Use intrusion detection systems (IDS) with signatures for path traversal attack patterns
Monitoring Recommendations
- Enable verbose logging for the Zhiyou ERP application, particularly for file upload operations
- Configure SIEM alerts for multiple failed or suspicious file upload attempts
- Regularly audit file system changes in directories accessible by the ERP application
- Monitor for unusual user activity patterns, particularly around file upload functionality
How to Mitigate CVE-2025-11139
Immediate Actions Required
- Restrict network access to the Zhiyou ERP system to trusted IP ranges only
- Implement additional authentication controls or multi-factor authentication for administrative functions
- Deploy a web application firewall (WAF) with rules to block path traversal attempts
- Review and restrict file system permissions for the ERP application service account
Patch Information
No official patch information is currently available. The vendor was contacted about this disclosure but did not respond. Organizations should monitor for updates from Zhiyou-group and apply security patches as soon as they become available.
Additional vulnerability details can be found at:
Workarounds
- Implement input validation at the network perimeter using a WAF to filter path traversal sequences
- Apply strict file path validation and canonicalization through a reverse proxy or application gateway
- Restrict the uploadStudioFile function to only accept filenames without path components
- Consider disabling the affected file upload functionality until a vendor patch is available
- Implement allowlist-based validation for acceptable file paths and directories
# Example WAF rule for blocking path traversal (ModSecurity format)
SecRule ARGS:filepath "@rx \.\.[\\/]" \
"id:1001,\
phase:2,\
deny,\
status:403,\
log,\
msg:'Path Traversal Attempt Blocked - CVE-2025-11139',\
tag:'application-multi',\
tag:'language-multi',\
tag:'attack-lfi'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
