← back
CVE-2019-25714

Seeyon Office Anywhere (OA) A8 Unauthenticated Arbitrary File Write via htmlofficeservlet

CVSS 9.3 CRITICALEPSS 0.7%CWE-434
Vexday Risk Score
48Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS 0.7%KEV nãoPoC públicaNuclei Metasploit Patch referenciado
Lifecycle
21 Apr 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.