Interinfo DreamMaker Unrestricted File Upload Vulnerability Allowing Arbitrary Command Execution
Vulnerability
A vulnerability allowing unrestricted upload of files with dangerous types has been identified in the file upload function of Interinfo DreamMaker, affecting versions prior to October 22, 2025. This vulnerability enables remote attackers to execute arbitrary system commands by uploading a malicious class file.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the server where Interinfo DreamMaker is running.
Remediation
It is recommended to disable the file upload functionality of the baServer3 servlet if it is not essential for daily operations. Additionally, deploy Web Application Firewall (WAF) rules to inspect request bodies and block any requests containing Java class file headers, such as 0xCAFEBABE. If the service is running under the 'nt authority\system' account, it should be changed to a standard user account with lower privileges.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.