轉發 台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202507-00000024

[內容說明]
【飛宇高新科技｜多功能智慧校園平台 - Missing Authorization】(CVE-2025-8322，CVSS：8.8) 飛宇高新科技多功能校園平台存在Missing Authorization漏洞，已取得一般使用者權限之遠端攻擊者能夠直接存取管理員功能，包括新增、修改與刪除帳號，甚至可將任意帳號提升為系統管理員。

【飛宇高新科技｜多功能智慧校園平台 - Arbitrary File Upload】(CVE-2025-8323，CVSS：8.8) 飛宇高新科技多功能校園平台存在Arbitrary File Upload漏洞，已取得一般使用者權限之遠端攻擊者可上傳並執行網頁後門程式，進而於伺服器端執行任意程式碼。

[影響平台]
多功能智慧校園平台

[建議措施]
系統執行於地端之學校單位，請聯繫飛宇高新科技確認單位更新狀況；或評估關閉對外服務、僅開放校內使用。

[參考資料]
1. https://www.twcert.org.tw/tw/cp-132-10304-6b375-1.html
2. https://www.twcert.org.tw/tw/cp-132-10306-ccea7-1.html

Forwarded by Taiwan Computer Network Crisis Response and Coordination Center TWCERTCC-200-202507-00000024

[Description]
[Ventem | Multifunctional Smart Campus Platform - Missing Authorization] (CVE-2025-8322, CVSS: 8.8) Ventem's Multifunctional Campus Platform has a Missing Authorization vulnerability. A remote attacker with normal user privileges can directly access administrator functions, including adding, modifying, and deleting accounts, and even elevate any account to system administrator.

[Ventem | Multifunctional Smart Campus Platform - Arbitrary File Upload] (CVE-2025-8323, CVSS: 8.8) Ventem's Multifunctional Campus Platform has an Arbitrary File Upload vulnerability. A remote attacker with normal user privileges can upload and execute a web backdoor program, thereby executing arbitrary code on the server.

[Affected Platform]
Multi-functional Smart Campus Platform

[Recommended Actions]
Schools operating the system on-site should contact Ventem to confirm the status of their updates. Alternatively, consider closing external services and limiting access to campus services only.

[References]
1. https://www.twcert.org.tw/tw/cp-132-10304-6b375-1.html
2. https://www.twcert.org.tw/tw/cp-132-10306-ccea7-1.html