CVE-2026-1218 Overview
A vulnerability has been identified in Bjskzy Zhiyou ERP up to version 11.0 affecting the initRCForm function within the RichClientService.class file of the com.artery.richclient.RichClientService component. This XML External Entity (XXE) vulnerability allows remote attackers to exploit improper XML parsing to potentially access sensitive data, perform server-side request forgery, or cause denial of service conditions.
Critical Impact
Remote attackers with low privileges can exploit this XXE vulnerability to read arbitrary files, perform SSRF attacks, or disrupt ERP system availability. A public exploit is available, and the vendor has not responded to disclosure attempts.
Affected Products
- Bjskzy Zhiyou ERP up to version 11.0
- com.artery.richclient.RichClientService component
- RichClientService.class - specifically the initRCForm function
Discovery Timeline
- 2026-01-20 - CVE CVE-2026-1218 published to NVD
- 2026-01-20 - Last updated in NVD database
Technical Details for CVE-2026-1218
Vulnerability Analysis
This vulnerability is classified as an XML External Entity (XXE) reference issue (CWE-610: Externally Controlled Reference to a Resource in Another Sphere). The flaw exists in how the initRCForm function processes XML input without properly validating or restricting external entity references.
XXE vulnerabilities occur when an XML parser is configured to process external entity declarations within XML documents. When user-controlled XML data is parsed without proper security configurations, attackers can craft malicious XML payloads containing external entity references that instruct the parser to fetch resources from arbitrary locations.
The attack can be executed remotely over the network and requires only low-level privileges to perform. The vulnerability allows attackers to potentially read local files from the server, perform server-side request forgery (SSRF) to access internal network resources, or cause denial of service through resource exhaustion. The vendor was contacted early regarding this disclosure but did not respond, leaving users without an official patch.
Root Cause
The root cause of this vulnerability lies in insecure XML parser configuration within the initRCForm function of RichClientService.class. The XML parser fails to disable external entity processing, allowing attackers to define and reference external entities that the parser will attempt to resolve. This is a common misconfiguration in Java-based applications where DocumentBuilderFactory or similar XML parsing libraries are used without explicitly disabling DTD processing and external entity resolution.
Attack Vector
The vulnerability is exploitable remotely over the network. An attacker with low-level privileges can craft a malicious XML payload containing external entity declarations and submit it to the vulnerable initRCForm function. When the server processes the XML input, it resolves the external entities, potentially leaking file contents or making requests to attacker-controlled or internal servers.
A typical XXE attack against this vulnerability would involve crafting an XML document with a Document Type Definition (DTD) that declares an external entity pointing to a sensitive file (such as /etc/passwd on Linux systems) or an internal network resource. When the vulnerable function parses this XML, it retrieves and includes the content of the referenced resource, which can then be exfiltrated through various techniques such as out-of-band data extraction. For technical details and proof-of-concept information, see the GitHub PoC Repository.
Detection Methods for CVE-2026-1218
Indicators of Compromise
- Unusual XML requests containing DOCTYPE declarations with ENTITY definitions targeting the initRCForm endpoint
- Outbound HTTP/HTTPS connections from the ERP server to unexpected external hosts
- Unexpected file access attempts on the server, particularly targeting sensitive configuration files
- Error logs showing XML parsing exceptions or failed external resource resolution
Detection Strategies
- Monitor web application logs for requests to RichClientService endpoints containing suspicious XML patterns with external entity declarations
- Implement network monitoring to detect unusual outbound connections from the ERP server that may indicate XXE-based SSRF or data exfiltration
- Deploy web application firewall (WAF) rules to detect and block XML payloads containing DOCTYPE and ENTITY declarations
- Use SentinelOne Singularity Platform to monitor for anomalous process behavior and file access patterns on ERP server hosts
Monitoring Recommendations
- Enable detailed logging for the com.artery.richclient.RichClientService component to capture all incoming requests and XML parsing activities
- Configure alerts for any outbound DNS queries or HTTP requests originating from the ERP application server to unexpected destinations
- Implement file integrity monitoring on sensitive configuration files that may be targeted through XXE exploitation
How to Mitigate CVE-2026-1218
Immediate Actions Required
- Restrict network access to the Bjskzy Zhiyou ERP application to trusted networks only using firewall rules
- Implement a web application firewall (WAF) with rules to block XML payloads containing external entity declarations
- Review and limit user privileges to reduce the potential attack surface
- Consider temporarily disabling the affected initRCForm functionality if not business-critical until a permanent fix is available
Patch Information
As of the last update on 2026-01-20, no official patch has been released by the vendor. The vendor was contacted regarding this vulnerability but did not respond. Users should implement the workarounds below and monitor for any future vendor communications. Additional details are available at VulDB #341908.
Workarounds
- Configure the application server or a reverse proxy to filter XML requests containing DOCTYPE declarations before they reach the ERP application
- If source code access is available, modify the XML parser configuration to disable DTD processing and external entity resolution by setting appropriate parser features
- Implement network segmentation to isolate the ERP server and limit the impact of potential SSRF attacks via XXE
- Use SentinelOne Singularity to monitor for and block suspicious activity patterns associated with XXE exploitation attempts
# Example WAF rule pattern to block XXE attempts (ModSecurity syntax)
SecRule REQUEST_BODY "@rx <!ENTITY" \
"id:1001,\
phase:2,\
deny,\
status:403,\
msg:'Potential XXE Attack Blocked',\
log"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
