Description
Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
Published: 2026-04-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

Seeyon OA A8 implements an unauthenticated vulnerability in the /seeyon/htmlofficeservlet endpoint that permits attackers to write arbitrary files to the web application root. By submitting a crafted POST request bearing a base64‑encoded payload, an attacker can create JSP webshells and then invoke them through the web server, resulting in arbitrary OS command execution with the privileges of the web process. The weakness is a classic arbitrary file write flaw (CWE‑434).

Affected Systems

Impact reaches users running Seeyon Internet Software A8+ Collaborative Management Software or the older A8-V5 Collaborative Management Software. No specific version range is supplied, so all deployments of these products are potentially affected.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as critical. Although the EPSS score is unavailable, evidence of exploitation was reported in March 2021, indicating a real-world threat. The flaw is not listed in the CISA KEV catalog, but the lack of authentication and the ability to deploy a host‑side webshell make it highly likely to be actively exploited in targetable environments. Attackers can freely upload payloads and execute them with web‑server privileges, making this an urgent risk for any organization whose Seeyon OA A8 instance is reachable from the internet.

Generated by OpenCVE AI on April 22, 2026 at 03:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued security patch for Seeyon OA A8 to eliminate the unauthenticated /seeyon/htmlofficeservlet endpoint.
  • Sanitize or disable the htmlofficeservlet component and enforce proper authentication before allowing file uploads.
  • Restrict the web application root directory to read‑only permissions and deploy a web‑application firewall rule to block POST requests to /seeyon/htmlofficeservlet.

Generated by OpenCVE AI on April 22, 2026 at 03:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Seeyon Internet Software
Seeyon Internet Software a8+ Collaborative Management Software
Seeyon Internet Software a8-v5 Collaborative Management Software
Vendors & Products Seeyon Internet Software
Seeyon Internet Software a8+ Collaborative Management Software
Seeyon Internet Software a8-v5 Collaborative Management Software

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC).
Title Seeyon Office Anywhere (OA) A8 Unauthenticated Arbitrary File Write via htmlofficeservlet
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Seeyon Internet Software A8+ Collaborative Management Software A8-v5 Collaborative Management Software
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T20:37:38.941Z

Reserved: 2026-04-21T15:54:59.039Z

Link: CVE-2019-25714

cve-icon Vulnrichment

Updated: 2026-04-21T20:32:00.261Z

cve-icon NVD

Status : Deferred

Published: 2026-04-21T17:16:20.777

Modified: 2026-04-22T21:20:25.267

Link: CVE-2019-25714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:17Z

Weaknesses