Sixun Shanghui Group Business Management System CVE-2025-14697

Q: What is the CVSS score of CVE-2025-14697?

CVE-2025-14697 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Direct Request ('Forced Browsing') (CWE-425)

2025-12-15 cna@vuldb.com

Information Disclosure

2.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:47 vuln.today

DescriptionNVD

A security flaw has been discovered in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 4.10.24.3. Affected by this issue is some unknown functionality of the file /ExportFiles/. The manipulation results in files or directories accessible. The attack may be launched remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Sixun Shanghui Group Business Management System 4.10.24.3 allows unauthenticated remote attackers to access files and directories through the /ExportFiles/ endpoint due to improper access controls, resulting in information disclosure of sensitive data. The vulnerability requires high attack complexity and has publicly available exploit code, but remains difficult to exploit in practice with an EPSS score of 0.06% indicating minimal real-world exploitation probability.

Technical ContextAI

The vulnerability is rooted in CWE-425 (Direct Request to Handler), indicating inadequate access control mechanisms on a file export handler. The /ExportFiles/ endpoint fails to properly validate or restrict which files can be accessed through the export functionality, allowing traversal or direct access to sensitive system files or directories. This is a classic information disclosure vulnerability in web applications where file operations are exposed without proper authentication and authorization checks.

Affected ProductsAI

Shenzhen Sixun Software Sixun Shanghui Group Business Management System version 4.10.24.3 is confirmed affected. No information about earlier or later versions is available from the provided sources. The specific affected component is the /ExportFiles/ endpoint. The vendor (Shenzhen Sixun Software) was contacted for disclosure but provided no response.

RemediationAI

Immediate patching guidance cannot be provided as the vendor has not released a fix and did not respond to early disclosure attempts. Implement compensating controls by restricting network access to the /ExportFiles/ endpoint through a Web Application Firewall (WAF) or reverse proxy, allowing only authenticated users with explicit authorization to access file export functionality. Enforce strict input validation and path traversal prevention on all file operations within the /ExportFiles/ handler, implementing a whitelist of allowable file paths or directories that can be exported. Disable the /ExportFiles/ endpoint entirely if file export functionality is not critical for operations, or require multi-factor authentication and role-based access control (RBAC) prior to allowing any file export requests. Monitor access logs for suspicious patterns of requests to /ExportFiles/ with unusual parameters or repeated failed attempts.

CVE-2025-14697 vulnerability details – vuln.today

Back