CVE-2025-10275 is a medium-severity vulnerability affecting the YunaiV yudao-cloud product, specifically versions up to 2025.09. The vulnerability arises from improper authorization controls in the /crm/business/transfer endpoint, where manipulation of the parameters 'ids' and 'newOwnerUserId' can be exploited. This flaw allows an attacker to perform unauthorized actions remotely without requiring user interaction or elevated privileges beyond low-level privileges (PR:L). The vulnerability impacts confidentiality, integrity, and availability at a low level, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P). The weakness allows attackers to potentially transfer ownership or manipulate business records improperly, which could lead to unauthorized data access or modification within the CRM module of yudao-cloud. The vendor has not responded to the disclosure, and no patches are currently available. Although public exploits exist, there are no known exploits in the wild at this time. The vulnerability does not require user interaction and can be exploited remotely, increasing the risk of automated or large-scale attacks. The lack of scope change (S:U) indicates the impact is confined to the vulnerable component without affecting other system components. The improper authorization issue suggests that access control checks are either missing or insufficient, allowing attackers with low privileges to escalate their capabilities within the application context.

For European organizations using YunaiV yudao-cloud, particularly those relying on the CRM business transfer functionality, this vulnerability could lead to unauthorized data manipulation, including the reassignment of business records or ownership. This can compromise data integrity and confidentiality, potentially causing operational disruptions, loss of trust, and regulatory compliance issues under GDPR if personal or sensitive data is involved. The remote exploitability without user interaction increases the risk of automated attacks targeting multiple organizations simultaneously. Given the vendor's lack of response and absence of patches, European entities may face prolonged exposure. The impact is particularly relevant for sectors with high reliance on CRM systems for customer data management, such as finance, retail, and professional services. Unauthorized changes in ownership or data could also facilitate fraud or insider threat activities. While the vulnerability is medium severity, the ease of exploitation and potential for unauthorized access to business-critical data make it a significant concern for affected organizations.

European organizations should immediately audit their use of the yudao-cloud CRM transfer functionality and restrict access to the affected endpoint to trusted users only. Implement network-level controls such as IP whitelisting or VPN access to limit exposure. Employ application-layer firewalls or WAFs to detect and block suspicious parameter manipulation attempts targeting 'ids' and 'newOwnerUserId'. Conduct thorough logging and monitoring of all transfer operations to detect anomalous or unauthorized activities promptly. If possible, temporarily disable or restrict the vulnerable functionality until a vendor patch or official mitigation is released. Engage with the vendor for updates and consider alternative CRM solutions if the risk cannot be adequately managed. Additionally, review and strengthen internal access control policies and ensure least privilege principles are enforced within the application. Regularly update incident response plans to include scenarios involving unauthorized data manipulation in CRM systems.