Yonyou U8Cloud Hit by Critical RCE Bug (All Versions Affected)

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Yonyou U8Cloud is a popular enterprise-grade ERP platform that helps businesses streamline workflows, enhance collaboration, and move toward digital transformation.

Recently, Yonyou received a vulnerability report and quickly released a patch to fix a deserialization vulnerability in the ServiceDispatcher interface. Together with Chaitin Tech, they issued a joint security advisory to ensure customers take timely action.

The Chaitin emergency response team has also released X-POC remote scanners and CloudWalker local detection tools to help security teams verify exposure and mitigate risks.

Vulnerability Description

CVE pending ID

All versions of U8Cloud are affected.

The vulnerability exists in the ServiceDispatcher interface, where unsafe deserialization allows attackers to gain remote code execution (RCE) on the system.

Detection Tools

🔹 X-POC Remote Detection

Command:

xpoc -r 407 -t https://xpoc.org

Download:

• https://github.com/chaitin/xpoc
• https://stack.chaitin.com/tool/detail/1036

🔹 CloudWalker Local Detection

Command:

yonyou_nc_service_dispatcher_servlet_ct_882436_scanner_windows_amd64.exe

Download:

• https://stack.chaitin.com/tool/detail/1229

Affected Versions

• All versions of U8Cloud

Solutions

Temporary Mitigation

Restrict access using network ACLs, e.g., only allow trusted IP ranges.

Official Fix

Yonyou has published an official patch. Download here:
🔗 Official Patch & Advisory

Product Support

• Yuntu: Supports product fingerprinting & POC detection
• Dongjian: Supports POC detection
• SafeLine WAF: Virtual patch released, detects exploit attempts
• Quanxi: Rules update expected before Sept 20, 18:00
• CloudWalker: Customers on platform 23.05.001+ can download the emergency vulnerability intel pack (EMERVULN-23.09.019) for direct detection. Older versions should contact CloudWalker support for assistance.

Timeline

• Aug 31 – Yonyou released official patch and advisory
• Sept 18 – Vulnerability details leaked publicly online
• Sept 20 – Joint advisory published by Yonyou & Chaitin

References

• Yonyou Official Patch & Advisory

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community