DEV Community

Sharon
Sharon

Posted on • Edited on

Kingdee ERP Zero-Day? ScpSupRegHandler File Upload Exploit Explained

#vulnerabilities #cybersecurity #webdev #safeline

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Kingdee Cloud Galaxy is a popular enterprise-grade ERP platform used in finance, supply chain, and business process management.

In November 2023, security researchers publicly disclosed a critical arbitrary file upload vulnerability in its ScpSupRegHandler module.

The flaw is easy to exploit — public PoCs are already circulating — allowing attackers to upload malicious files and potentially gain full control of the server.

Vulnerability Overview

The core issue lies in insecure file upload handling — one of the most common yet dangerous flaws in web applications.

Here’s what went wrong:

  • Weak file extension checks: The backend failed to properly validate the file type.
  • Improper path sanitization: The upload handler didn’t prevent directory traversal sequences like ../../../../, enabling attackers to escape the intended upload directory.

By crafting a malicious file (e.g., .jsp webshell) with a specially designed filename, an attacker can drop it into an unintended server directory — such as a web-accessible path — and execute arbitrary commands.

Exploitation Patterns

From a traffic analysis perspective, malicious uploads stand out in HTTP POST requests containing unusual file paths, especially with multiple ../ sequences.

This is a classic directory traversal indicator.

Impact

If exploited successfully, attackers can:

  • Upload files anywhere on the server
  • Deploy webshells or malware
  • Tamper with existing files
  • Gain remote code execution (RCE) and pivot further into the network
  • Steal sensitive data or use the compromised server for other attacks

Severity: High — this flaw can lead to full server compromise.

Affected Versions

  • Kingdee Cloud Galaxy Enterprise Private Cloud
  • Enterprise Private Cloud (Subscription)
  • Standard Private Cloud (Subscription)

Versions: V6.2 (incl. Dec 2017 patch)V8.1 (incl. Sept 2023 patch)

Mitigation & Fix

Temporary Workarounds:

  • Disable file upload functionality if it’s not business-critical.
  • Restrict system exposure:
    • Remove from public internet
    • Apply network ACLs to allow only trusted IP ranges

Permanent Fix:

  • Upgrade to the patched version provided by Kingdee. Official advisory: Kingdee Security Patch Contact Kingdee Support for installation packages or assistance.

Reproduction (PoC)

  1. Upload a malicious file via the vulnerable ScpSupRegHandler endpoint

  1. Access the uploaded file via browser to execute commands on the server

Product Detection Support

  • YunTu / DongJian: Supports fingerprint recognition and PoC-based detection for this vulnerability.
  • SafeLine / QuanXi: Detects exploitation attempts out of the box.

Timeline

  • 2023-10-26 — Official patch released
  • 2023-11-01 — Vulnerability publicly disclosed online
  • 2023-11-16 — Chaitin Emergency Response Lab analysis & reproduction
  • 2023-11-16 — Chaitin CSRC published advisory

References

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

Top comments (0)