Home

Description

SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign.

PUBLISHED Reserved 2025-07-24 | Published 2025-10-15 | Updated 2025-10-15 | Assigner VulnCheck




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

V8 before July 2023 update
affected

V9 before July 2023 update
affected

V10 before July 2023 update
affected

References

www.smartbi.com.cn/patchinfo release-notes patch

avd.aliyun.com/detail?id=AVD-2023-1673292 vdb-entry

jeyiuwai.pages.dev/...i-rmiservlet-远程代码执行漏洞/ technical-description exploit

www.vulncheck.com/...rmiservlet-unrestricted-file-upload-rce third-party-advisory

cve.org (CVE-2023-7305)

nvd.nist.gov (CVE-2023-7305)

Download JSON