CVE-2025-34160: AnyShare ServiceAgent API Unauthenticated RCE
AnyShare contains a critical unauthenticated remote code execution vulnerability in the ServiceAgent API exposed on port 10250. The endpoint /api/ServiceAgent/start_service accepts user-supplied input via POST and fails to sanitize command-like payloads. An attacker can inject shell syntax that is interpreted by the backend, enabling arbitrary command execution. The vulnerability is presumed to affect builds released prior to August 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 UTC.
Security readout for executives and security teams
Plain-English summary
CVE-2025-34160 is a critical unauthenticated remote code execution issue in AnyShare. A reachable ServiceAgent API may let an outside attacker run arbitrary backend commands. The affected version range is not precisely defined, but the bundle says builds before August 2025 are presumed affected and newer versions are said to remediate it.
Executive priority
Treat this as an urgent exposure-management item. Unauthenticated RCE against a file-sharing platform can create broad compromise risk, especially if externally reachable. Because affected versions are unclear, prioritize discovery, isolation, and vendor-confirmed upgrade decisions.
Technical view
The issue is described as CWE-78 command injection in AnyShare ServiceAgent API on port 10250. A POST-exposed service path accepts unsanitized user input that can be interpreted by the backend shell. CVSS 4.0 is 10.0 with network access, no privileges, and no user interaction required.
Likely exposure
Exposure is likely where Shanghai Aishu AnyShare is deployed and the ServiceAgent API is reachable, especially from untrusted networks. The exact affected range is undefined, so teams should treat pre-August 2025 or unverified builds as suspect until vendor guidance confirms status.
Exploitation context
The CVE is not listed as KEV in the supplied bundle. Public technical and exploit-tagged references exist. The bundle says Shadowserver observed exploitation evidence on 2025-07-11 UTC, but no Shadowserver URL is included here, so active exploitation is not independently confirmed from the listed sources.
Researcher notes
Evidence supports critical command injection risk, but version bounds and vendor fix details are incomplete in the supplied sources. Avoid assuming all AnyShare versions are affected. Validation should focus on product presence, ServiceAgent reachability, build age, and advisory tracking.
Mitigation direction
Inventory all AnyShare deployments and owners.
Restrict untrusted access to ServiceAgent API on port 10250.
Check Aishu guidance and upgrade to a vendor-supported remediated build.
Prioritize internet-exposed systems before internal-only deployments.
Monitor CVE, VulnCheck, Chaitin, and vendor advisories for affected-version clarification.
Validation and detection
Confirm whether AnyShare is present in asset inventory.
Identify any exposed ServiceAgent listeners on port 10250.
Record AnyShare version and build date for each system.
Review access logs for unexpected ServiceAgent API requests.
Check whether network controls block untrusted access to the service.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-78: Command execution behavior lookup
Command injection weaknesses can lead defenders to review execution techniques and command interpreter telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-78 · source CWE mapping
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.