CVE-2025-10277 is a medium-severity vulnerability identified in the YunaiV yudao-cloud product, specifically affecting versions up to 2025.09. The vulnerability arises from improper authorization checks in the handling of the /crm/receivable/submit endpoint, where manipulation of the 'ID' argument allows an attacker to bypass authorization controls. This flaw enables remote attackers to potentially perform unauthorized actions related to receivable submissions without proper privileges. The vulnerability does not require user interaction or prior authentication, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates that an attacker with low privileges can exploit this vulnerability to partially compromise confidentiality, integrity, and availability of the affected system. The vendor has been contacted but has not responded or issued a patch, and public exploit code is available, increasing the risk of exploitation. The vulnerability impacts the authorization logic, which is critical in enterprise cloud applications managing financial or CRM data, potentially allowing unauthorized data access or modification. Given the lack of vendor response and public exploit availability, organizations using yudao-cloud should consider this a significant risk until mitigations or patches are available.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of financial and customer relationship management data processed via yudao-cloud. Unauthorized access to receivable submission functions could lead to fraudulent financial transactions, data leakage, or manipulation of critical business records. This can result in regulatory non-compliance, especially under GDPR, due to unauthorized access to personal or financial data. The availability impact is limited but could occur if attackers disrupt receivable processing. The remote exploitability without user interaction or authentication increases the likelihood of attacks, especially in organizations relying heavily on yudao-cloud for CRM and financial operations. The lack of vendor patching and public exploit code further elevates the threat level. European companies in finance, retail, and services sectors using yudao-cloud are particularly at risk, with potential consequences including financial loss, reputational damage, and legal penalties.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include restricting network access to the /crm/receivable/submit endpoint via firewalls or web application firewalls (WAFs) to trusted IP addresses only. Implement strict monitoring and alerting on unusual activity related to receivable submissions, including anomalous ID parameter values or access patterns. Enforce strong internal access controls and segmentation to limit the impact of any unauthorized access. Conduct thorough audits of receivable submission logs to detect potential exploitation. If possible, temporarily disable or restrict the vulnerable functionality until a vendor patch is released. Engage with the vendor for updates and consider alternative solutions if the vendor remains unresponsive. Additionally, apply general security best practices such as multi-factor authentication for administrative access and regular security assessments of cloud services.