【Vulnerability Alert】Two Critical Vulnerabilities in E-EXCELLENCE U-Office Force

publish date : 2025-03-21 update date : 2025-03-21

Source: Ministry of education information & communication security contingency platform

Publication Number TACERT-ANA-2025031810030000 Publication Time 2025/03/18 10:21
Incident Type ANA-Vulnerability Alert Discovery Time 2025/03/18 10:21
Impact Level Medium  
[Subject]
【Vulnerability Alert】Two Critical Vulnerabilities in E-EXCELLENCE U-Office Force
[Content]
Forwarded from TWCERTCC-200-202503-00000005

[E-EXCELLENCE U-Office Force - Improper Authentication] (TVN-202503002, CVE-2025-2395, CVSS: 9.8)
E-EXCELLENCE U-Office Force has an Improper Authentication vulnerability. A remote attacker without authentication can manipulate cookies when interacting with specific APIs, allowing them to log in as an administrator.

[E-EXCELLENCE U-Office Force - Arbitrary File Upload] (TVN-202503003, CVE-2025-2396, CVSS: 8.8)
E-EXCELLENCE U-Office Force has an Arbitrary File Upload vulnerability. A remote attacker with standard user privileges can upload and execute a web shell (backdoor), enabling arbitrary code execution on the server.

Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform]
U-Office Force Versions earlier than 28.0
[Recommended Actions]
Users should update U-Office Force to version 28.0 or later as soon as possible to mitigate these vulnerabilities.
[Reference]
E-EXCELLENCE U-Office Force - Improper Authentication: https://www.twcert.org.tw/tw/cp-132-10011-3de72-1.html
E-EXCELLENCE U-Office Force - Arbitrary File Upload: https://www.twcert.org.tw/tw/cp-132-10013-0d371-1.html
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center