Which versions of Bjskzy Zhiyou ERP are affected by CVE-2025-11140?

Organizations using Bjskzy Zhiyou ERP should be aware of notable risk from CVE-2025-11140 rated CVSS 6.9. Exploitation could compromise the security of affected deployments.

Is there a public PoC exploit available for CVE-2025-11140?

Yes, a public proof-of-concept exploit is available for CVE-2025-11140. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-11140?

Within 7 days: Identify affected systems running Bjskzy Zhiyou ERP and apply vendor patches promptly. Monitor vendor channels for patch availability.

Bjskzy Zhiyou ERP CVE-2025-11140

Q: What is the CVSS score of CVE-2025-11140?

CVE-2025-11140 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

MEDIUM

Externally Controlled Reference to a Resource in Another Sphere (CWE-610)

2025-09-29 cna@vuldb.com

XXE

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

Analysis Generated

Mar 28, 2026 - 19:14 vuln.today

PoC Detected

Oct 03, 2025 - 18:18 vuln.today

Public exploit code

CVE Published

Sep 29, 2025 - 04:15 nvd

MEDIUM 6.9

DescriptionNVD

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-610. A vulnerability was identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this vulnerability is the function openForm of the component com.artery.richclient.RichClientService. Such manipulation of the argument contentString leads to xml external entity reference. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. Affected products include: Zhiyou-Group Zhiyou Erp. Version information: up to 11.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2025-11140 vulnerability details – vuln.today

Back

Bjskzy Zhiyou ERP CVE-2025-11140

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

Bjskzy Zhiyou ERP CVE-2025-11140

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code