Kingdee ERP Under Attack: File Upload Flaw Exposed

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Kingdee Cloud Galaxy is a popular enterprise-grade ERP platform used in finance, supply chain, and business process management.

In November 2023, security researchers publicly disclosed a critical arbitrary file upload vulnerability in its ScpSupRegHandler module.

The flaw is easy to exploit — public PoCs are already circulating — allowing attackers to upload malicious files and potentially gain full control of the server.

---

Vulnerability Overview

The core issue lies in insecure file upload handling — one of the most common yet dangerous flaws in web applications.

Here’s what went wrong:

• Weak file extension checks: The backend failed to properly validate the file type.
• Improper path sanitization: The upload handler didn’t prevent directory traversal sequences like ../../../../, enabling attackers to escape the intended upload directory.

By crafting a malicious file (e.g., .jsp webshell) with a specially designed filename, an attacker can drop it into an unintended server directory — such as a web-accessible path — and execute arbitrary commands.

---

Exploitation Patterns

From a traffic analysis perspective, malicious uploads stand out in HTTP POST requests containing unusual file paths, especially with multiple ../ sequences.

This is a classic directory traversal indicator.

---

Impact

If exploited successfully, attackers can:

• Upload files anywhere on the server
• Deploy webshells or malware
• Tamper with existing files
• Gain remote code execution (RCE) and pivot further into the network
• Steal sensitive data or use the compromised server for other attacks

Severity: High — this flaw can lead to full server compromise.

---

Affected Versions

• Kingdee Cloud Galaxy Enterprise Private Cloud
• Enterprise Private Cloud (Subscription)
• Standard Private Cloud (Subscription)

Versions: V6.2 (incl. Dec 2017 patch) → V8.1 (incl. Sept 2023 patch)

---

Mitigation & Fix

Temporary Workarounds:

• Disable file upload functionality if it’s not business-critical.
• Restrict system exposure:
  • Remove from public internet
  • Apply network ACLs to allow only trusted IP ranges

Permanent Fix:

• Upgrade to the patched version provided by Kingdee. Official advisory: Kingdee Security Patch Contact Kingdee Support for installation packages or assistance.

---

Reproduction (PoC)

1. Upload a malicious file via the vulnerable ScpSupRegHandler endpoint

1. Access the uploaded file via browser to execute commands on the server

---

Product Detection Support

• YunTu / DongJian: Supports fingerprint recognition and PoC-based detection for this vulnerability.
• SafeLine / QuanXi: Detects exploitation attempts out of the box.

---

Timeline

• 2023-10-26 — Official patch released
• 2023-11-01 — Vulnerability publicly disclosed online
• 2023-11-16 — Chaitin Emergency Response Lab analysis & reproduction
• 2023-11-16 — Chaitin CSRC published advisory

---

References

• Kingdee Official Security Notice

---

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community