CVE-2025-10086 is a medium-severity vulnerability affecting version 1.0.0 of the fuyang_lipengjun platform. The flaw resides in the AdPositionController component, specifically in the queryAll function located at /adposition/queryAll. This vulnerability is characterized by improper authorization, allowing an attacker to remotely invoke the queryAll function without proper permission checks. The absence of adequate authorization controls means that an attacker with low privileges can potentially access or manipulate data that should be restricted. The CVSS 4.0 vector indicates that the attack can be performed remotely (AV:N), requires low attack complexity (AC:L), no authentication (AT:N), and no user interaction (UI:N). However, the attacker must have low privileges (PR:L), which implies some level of access is needed but not elevated privileges. The impact on confidentiality, integrity, and availability is low (VC:L, VI:L, VA:L), suggesting limited but non-negligible consequences. No patches or exploit code are currently publicly available, and no known exploitation in the wild has been reported. This vulnerability is distinct from CVE-2025-9936, affecting a different part of the platform. The improper authorization could lead to unauthorized data disclosure or modification within the AdPositionController's scope, potentially exposing sensitive advertising position data or allowing unauthorized queries that could be leveraged for further attacks or information gathering.

For European organizations using the fuyang_lipengjun platform version 1.0.0, this vulnerability could lead to unauthorized access to advertising position data or related business information managed by the platform. While the direct impact on confidentiality, integrity, and availability is assessed as low, the improper authorization could be exploited to gain insights into internal configurations or data flows, which might be leveraged in targeted attacks or competitive espionage. Organizations in sectors relying heavily on digital advertising or marketing platforms could face operational disruptions or reputational damage if sensitive data is exposed. Additionally, unauthorized access could contravene GDPR requirements concerning data protection and access controls, potentially resulting in regulatory scrutiny or fines. The remote exploitability and lack of user interaction requirements increase the risk of automated scanning and exploitation attempts, especially if the platform is internet-facing. However, the requirement for low privileges means that attackers must first gain some level of access, which may limit the scope of impact to organizations with weak internal access controls or exposed credentials.

1. Implement strict access control mechanisms around the /adposition/queryAll endpoint, ensuring that only authorized roles can invoke this function. 2. Conduct a thorough review and audit of all authorization checks within the AdPositionController and related components to identify and remediate similar weaknesses. 3. Employ network segmentation and firewall rules to restrict access to the platform's management interfaces, limiting exposure to trusted networks or VPNs. 4. Enforce strong authentication and credential management policies to prevent unauthorized privilege acquisition that could be leveraged to exploit this vulnerability. 5. Monitor logs and network traffic for unusual access patterns to the /adposition/queryAll endpoint, enabling early detection of exploitation attempts. 6. Engage with the vendor or development team to obtain or develop patches addressing the improper authorization flaw. 7. If patching is not immediately possible, consider implementing Web Application Firewall (WAF) rules to block or challenge suspicious requests targeting the vulnerable endpoint. 8. Educate internal teams about the importance of least privilege principles and regularly review user permissions to minimize the risk of privilege escalation.