CVE-2025-8516 | Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2 IIS-K3CloudMiniApp FileUploadAction.class filePath path traversal

A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2. It has been classified as problematic. Affected is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file K3CloudBBCMallSiteWEB-INFlibKingdee.K3.O2O.Base.WebApp.jar!kingdeek3o2obasewebappactionFileUploadAction.class of the component IIS-K3CloudMiniApp. The manipulation of the argument filePath leads to path traversal.

This vulnerability is traded as CVE-2025-8516. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

It is recommended to apply restrictive firewalling.

The vendor recommends as a short-term measure to “[t]emporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control.” The long-term remediation will be: “Install the security patch provided by the Starry Sky system, with the specific solutions being: i) Adding authentication to the vulnerable CMKAppWebHandler.ashx interface; ii) Removing the file reading function.”VulDB Recent EntriesRead More