Sharon

Posted on Sep 2 • Edited on Sep 9

Critical Risk: Seeyon OA Arbitrary Password Reset Vulnerability

#webdev #vulnerabilities #cybersecurity #safeline

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Seeyon OA is a widely used enterprise Office Automation (OA) platform that helps organizations streamline daily tasks and workflow management.

Recently, Seeyon released a new patch addressing a critical front-end vulnerability that allows attackers to reset any user’s password without authentication.

Chaitin Tech’s emergency response team analyzed the issue and confirmed that many internet-facing Seeyon OA systems remain unpatched and exploitable. To help defenders, they have released a harmless X-POC remote scanner and a CloudWalker local detection tool that are publicly available.

Vulnerability Description

A password reset API in Seeyon OA can be accessed without authentication.

By sending a crafted request, attackers can change the password of any user account — including privileged admin accounts.

This gives attackers a direct path to hijack corporate OA systems.

Detection Tools

X-POC Remote Detection

Command:

./xpoc -r 406 -t http://xpoc.org

Download:

CloudWalker Local Detection

Command:

seeyon_oa_resetpass_ct_868971_scanner_windows_amd64.exe

Download:

https://stack.chaitin.com/tool/detail/1227

Affected Versions

V5/G6
V8.1 SP2
V8.2

Solutions

Temporary Mitigation

Apply network ACLs to restrict access — e.g., only allow trusted IP ranges to reach Seeyon OA systems.

Official Fix

Seeyon has released an official patch:
🔗 Patch Download (Official Site)

Product Support

Yuntu: Supports fingerprint recognition & POC detection
Dongjian: Supports custom POC detection
SafeLine WAF: Virtual patch released, blocks exploitation attempts
Quanxi: Rule updates released, detects this vulnerability
CloudWalker: Users on platform 23.05.001+ can download the emergency vulnerability intel pack (EMERVULN-23.09.007) to detect exploitation attempts. Older versions should contact CloudWalker support.

Timeline

Sept 6 – Seeyon OA published official patch
Sept 7 – Chaitin Emergency Lab analyzed and reproduced the vulnerability
Sept 7 – Chaitin Security Response Center released advisory

References

Seeyon Official Patch

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

DEV Community