CVE-2025-6761 Overview
A critical Server-Side Template Injection (SSTI) vulnerability has been identified in Kingdee Cloud-Starry-Sky Enterprise Edition affecting versions 6.x through 9.0. The vulnerability exists in the Freemarker template engine component, specifically within the plugin.buildMobilePopHtml function located in the DynamicForm4Action.class file. This flaw allows remote attackers to inject malicious template directives that can be processed by the Freemarker engine, potentially leading to unauthorized code execution.
The vulnerability stems from improper neutralization of special elements used in the template engine (CWE-791), enabling attackers to craft malicious payloads that bypass intended security controls. The exploit has been publicly disclosed, increasing the urgency for organizations using affected versions to apply available patches.
Critical Impact
Remote attackers can exploit the Freemarker template engine to inject malicious templates, potentially compromising confidentiality, integrity, and availability of the affected Kingdee Cloud-Starry-Sky Enterprise Edition systems.
Affected Products
- Kingdee Cloud-Starry-Sky Enterprise Edition 6.x
- Kingdee Cloud-Starry-Sky Enterprise Edition 7.x
- Kingdee Cloud-Starry-Sky Enterprise Edition 8.x
- Kingdee Cloud-Starry-Sky Enterprise Edition 9.0
Discovery Timeline
- 2025-06-27 - CVE-2025-6761 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-6761
Vulnerability Analysis
This vulnerability represents a Server-Side Template Injection (SSTI) flaw in the Freemarker Engine component of Kingdee Cloud-Starry-Sky Enterprise Edition. The affected function plugin.buildMobilePopHtml within the \k3\o2o\bos\webapp\action\DynamicForm4Action.class file fails to properly sanitize user-controlled input before processing it through the Freemarker template engine.
Freemarker is a powerful Java-based template engine commonly used for generating dynamic HTML content. When template expressions are not properly restricted, attackers can inject arbitrary Freemarker directives that the engine will execute. This can lead to arbitrary class instantiation, method invocation, and potentially full remote code execution on the underlying server.
The network-based attack vector means that exploitation can occur remotely without requiring any user interaction or authentication, making this vulnerability particularly dangerous for internet-facing deployments of the affected software.
Root Cause
The root cause of CVE-2025-6761 is the improper neutralization of special elements used in the Freemarker template engine (CWE-791). The vulnerable function processes user-supplied data as template content without implementing adequate restrictions on which Freemarker built-ins and classes can be accessed. This allows attackers to leverage Freemarker's powerful introspection capabilities to instantiate arbitrary Java classes and invoke methods, bypassing the intended sandboxing of the template environment.
Attack Vector
The attack can be launched remotely against the Kingdee Cloud-Starry-Sky Enterprise Edition application. An attacker can submit a specially crafted request to the DynamicForm4Action endpoint containing malicious Freemarker template directives. When the plugin.buildMobilePopHtml function processes this input, the Freemarker engine evaluates the injected expressions, allowing the attacker to:
- Access internal Java classes through Freemarker's built-in methods
- Instantiate arbitrary objects using class loaders
- Execute system commands through Java's Runtime class
- Read sensitive files or exfiltrate data from the server
The vulnerability does not require authentication, making it exploitable by any remote attacker who can reach the affected endpoint.
Detection Methods for CVE-2025-6761
Indicators of Compromise
- Unusual HTTP requests to the DynamicForm4Action endpoint containing Freemarker template syntax such as ${, <#, or ?new
- Web server logs showing requests with encoded template injection payloads targeting the mobile popup HTML functionality
- Unexpected process spawning from the Java/Tomcat process running Kingdee Cloud-Starry-Sky
- File system access patterns indicating attempts to read sensitive configuration files
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block Freemarker template injection patterns in HTTP requests
- Monitor application logs for requests containing suspicious Freemarker syntax like freemarker.template.utility.Execute, ?new, or class reflection patterns
- Deploy runtime application self-protection (RASP) solutions to detect template injection attempts
- Review access logs for the \k3\o2o\bos\webapp\action\ path for anomalous request patterns
Monitoring Recommendations
- Enable detailed logging on the Kingdee Cloud-Starry-Sky application server to capture all requests to the DynamicForm4Action component
- Set up alerts for HTTP requests containing template injection indicators targeting the affected endpoints
- Monitor for outbound network connections from the application server that may indicate post-exploitation activity
- Implement file integrity monitoring on critical system files to detect unauthorized modifications
How to Mitigate CVE-2025-6761
Immediate Actions Required
- Upgrade Kingdee Cloud-Starry-Sky Enterprise Edition to the patched version that sets Freemarker to ALLOWS_NOTHING_RESOLVER
- If immediate patching is not possible, restrict network access to the affected DynamicForm4Action endpoint using firewall rules
- Implement WAF rules to filter requests containing Freemarker template syntax
- Review application logs for any evidence of prior exploitation attempts
Patch Information
Kingdee has released a security update that addresses this vulnerability by configuring the Freemarker engine with ALLOWS_NOTHING_RESOLVER. This setting prevents the template engine from parsing or instantiating any Java classes, effectively neutralizing template injection attacks. Organizations should obtain the patched version through Kingdee's official channels or reference the detailed advisory information.
For additional technical details about this vulnerability, refer to VulDB entry #314072.
Workarounds
- Implement strict input validation on all parameters passed to the DynamicForm4Action endpoint, rejecting any input containing Freemarker template syntax
- Deploy a reverse proxy or WAF in front of the application to filter malicious template injection attempts before they reach the vulnerable component
- If the mobile popup HTML functionality is not required, consider disabling or removing access to the affected endpoint entirely
- Implement network segmentation to limit the blast radius if the application is compromised
# Example WAF rule to block Freemarker template injection patterns
# Block requests containing common Freemarker injection syntax
SecRule ARGS "@rx (\$\{|<#|freemarker\.template|\.getClass\(\)|\.exec\()" \
"id:100001,phase:2,deny,status:403,log,msg:'Potential Freemarker Template Injection'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
