CVE-2024-56829

CVE-2024-56829 is a critical arbitrary file upload vulnerability in Huang Yaoshi Pharmaceutical Management Software through version 16.0. It occurs via a .asp filename specified in the fileName element of the UploadFile element within a SOAP request to the /XSDService.asmx endpoint. Classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its potential for severe impact with network-wide remote access, low attack complexity, no privileges or user interaction required, and high confidentiality, integrity, and availability consequences in a scoped context.

Unauthenticated remote attackers can exploit this flaw by crafting and sending a SOAP request to /XSDService.asmx with a malicious .asp file in the specified elements. This enables uploading arbitrary files, such as ASP web shells, which can then be executed on the server for remote code execution (RCE). Attackers achieving RCE gain full control over the vulnerable system, facilitating data theft, persistence, privilege escalation, or pivoting to other network assets.

The provided references link to GitHub documentation in a repository by Zerone0x00, which details the exploitation steps for the arbitrary file upload but does not include vendor advisories, patches, or explicit mitigation guidance. Practitioners should immediately restrict or block inbound traffic to /XSDService.asmx, monitor for suspicious SOAP requests, upgrade to a patched version if available from the vendor, and conduct forensic reviews on exposed instances.