DEV Community

Sharon
Sharon

Posted on

Yonyou U8 Cloud RCE: File Upload Bypass Confirmed

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

On August 29, 2025, Yonyou Security Center disclosed a critical vulnerability in U8 Cloud, its next-gen enterprise ERP solution. The bug is a file upload bypass in the ServiceDispatcherServlet patch, which can be chained into remote code execution (RCE).

Our team at Chaitin Security Response Center has successfully reproduced the issue and confirmed impact. This advisory summarizes the root cause, impact, mitigation, and detection timeline.


Vulnerability Overview

Type: Remote Code Execution (RCE)

Severity: High

Attack Vector: Network (unauthenticated)

Requirements: No authentication, no user interaction, default config

Exploit Maturity: POC/EXP not publicly available

Fix Complexity: Low (official patch available)


Root Cause (Why it happens)

The July 28, 2025 patch attempted to fix unsafe file upload logic in U8 Cloud.

However, the patch’s logic was incomplete:

  1. Attackers can still upload a malicious JSP file into a non-web directory.
  2. By invoking reflection, the file can be copied into a web-accessible path.
  3. The uploaded JSP is then executed, resulting in full remote code execution.

⚠️ Note: The token validation logic introduced in the July 28 patch is not bypassable.

Users who already applied the July 28 patch are safe from this specific issue.

Those who have not patched yet remain vulnerable.


Potential Impact

If exploited, attackers could:

  • Execute arbitrary system commands remotely
  • Gain full control of the target server
  • Exfiltrate sensitive business data
  • Disrupt ERP operations and compromise availability

Priority: High — patch immediately.


Affected Versions

  • Yonyou U8 Cloud
    • Versions prior to patch 20250728T101233

Mitigation & Fix

Official Patch

Yonyou has released an updated patch.

👉 Download here

Temporary Workarounds

  • Do not expose U8 Cloud directly to the public internet unless strictly necessary.

Reproduction

  1. Upload arbitrary file (e.g., JSP) into root directory.

  1. Move uploaded file from root to web directory via reflection.


Product Support & Detection

  • YunTu → Already supports U8 Cloud fingerprinting + PoC detection.
  • DongJian → Detection package to be released 2025-09-03.
  • QuanXi → Rule updates released, supports exploitation detection.
  • WuFeng → Supports fingerprinting + PoC detection by default.

Timeline

  • 2025-08-29 → Yonyou Security Center publishes initial advisory
  • 2025-09-03 → Chaitin Security Response Center confirms and publishes this advisory

TL;DR

  • Yonyou U8 Cloud has a file upload bypass → RCE vulnerability.
  • Patch 20250728T101233 fixes the issue.
  • If you’re running unpatched versions, update immediately.
  • Until patched, avoid exposing U8 Cloud to the internet and enforce strict WAF rules.

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

Top comments (0)