QwikSec

Security Database

CVE

CWE

Training

CVE-2023-7305

Published: Oct 15, 2025

Modified: Nov 7, 2025

PUBLISHED

Description

SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild.

Vendor	Product	Versions
Guangzhou Smart Software Co., Ltd.	SmartBI	affected `V8 - < July 2023 update` affected `V9 - < July 2023 update` affected `V10 - < July 2023 update`

Weaknesses (CWE)

References

https://www.smartbi.com.cn/patchinfo

release-notes

patch

https://avd.aliyun.com/detail?id=AVD-2023-1673292

vdb-entry

https://jeyiuwai.pages.dev/posts/1day-%E8%B7%9F%E8%B8%AAsmartbi-rmiservlet-%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/

technical-description

exploit

https://www.vulncheck.com/advisories/smartbi-rmiservlet-unrestricted-file-upload-rce

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.