Seeyon Office Anywhere (OA) A8 Unauthenticated Arbitrary File Write via htmlofficeservlet
Summary
| CVE | CVE-2019-25714 |
|---|---|
| State | PUBLISHED |
| Assigner | VulnCheck |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-21 17:16:20 UTC |
| Updated | 2026-04-22 21:20:25 UTC |
| Description | Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC). |
Risk And Classification
Primary CVSS: v4.0 9.3 CRITICAL from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.005960000 probability, percentile 0.693850000 (date 2026-04-22)
Problem Types: CWE-434 | CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 9.3 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 9.3 | CRITICAL | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
HighIntegrity
HighAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Seeyon Internet Software | A8-V5 Collaborative Management Software | affected 6.1sp1 | Not specified |
| CNA | Seeyon Internet Software | A8 Collaborative Management Software | affected 7.0 | Not specified |
| CNA | Seeyon Internet Software | A8 Collaborative Management Software | affected 7.0sp1 | Not specified |
| CNA | Seeyon Internet Software | A8 Collaborative Management Software | affected 7.0sp2 | Not specified |
| CNA | Seeyon Internet Software | A8 Collaborative Management Software | affected 7.0sp3 | Not specified |
| CNA | Seeyon Internet Software | A8 Collaborative Management Software | affected 7.1 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| wiki.96.mk/Web%E5%AE%89%E5%85%A8/%E8%87%B4%E8%BF%9Coa/%E8%87%B4%E8%BF%9C... | [email protected] | wiki.96.mk | |
| www.vulncheck.com/advisories/seeyon-office-anywhere-oa-a8-unauthenticated-arbit... | [email protected] | www.vulncheck.com | |
| www.broadcom.com/support/security-center/attacksignatures/detail | [email protected] | www.broadcom.com | |
| sourceforge.net/software/product/A8 | [email protected] | sourceforge.net | |
| www.fortiguard.com/encyclopedia/ips/48874/seeyon-office-anywhere-htmlofficeservl... | [email protected] | www.fortiguard.com | |
| web.archive.org/web/20190821034711/http://wyb0.com/posts/2019/seeyon-htmloffi... | [email protected] | web.archive.org | |
| static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/90916/Security_Notification_reseller_en-US.pdf | [email protected] | static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: The Shadowserver Foundation (en)
There are currently no legacy QID mappings associated with this CVE.