[Vulnerability Alert] Fiyun Tech | Two Significant Security Vulnerabilities in the Multi-functional Smart Campus Platform

• Subject: [Vulnerability Alert] Fiyun Tech | Two Significant Security Vulnerabilities in the Multi-functional Smart Campus Platform

• Content:
  • Forwarded from Taiwan Computer Network Emergency Response Team/Coordination Center TWCERTCC-200-202507-00000024
  • [Fiyun Tech | Multi-functional Smart Campus Platform - Missing Authorization] (CVE-2025-8322, CVSS: 8.8) A Missing Authorization vulnerability exists in the Fiyun Tech Multi-functional Smart Campus Platform. A remote attacker with general user permissions can directly access administrator functions, including adding, modifying, and deleting accounts, and can even elevate any account to a system administrator.
  • [Fiyun Tech | Multi-functional Smart Campus Platform - Arbitrary File Upload] (CVE-2025-8323, CVSS: 8.8) An Arbitrary File Upload vulnerability exists in the Fiyun Tech Multi-functional Smart Campus Platform. A remote attacker with general user permissions can upload and execute web backdoor programs, thereby executing arbitrary code on the server.
• Affected Platforms:
  • Multi-functional Smart Campus Platform
• Recommended Action:
  • For school units where the system is running on-premise, please contact Fiyun Tech to confirm the unit's update status; or consider shutting down external services and only allowing internal use.
• References:
  1. https://www.twcert.org.tw/tw/cp-132-10304-6b375-1.html
  2. https://www.twcert.org.tw/tw/cp-132-10306-ccea7-1.html

Computer and Communications Center
Network Systems Group