CVE-2025-10278 is a medium severity vulnerability identified in the YunaiV ruoyi-vue-pro software, specifically affecting versions up to 2025.09. The flaw resides in an unspecified function within the /crm/contact/transfer endpoint, where improper authorization occurs due to manipulation of the parameters 'ids' and 'newOwnerUserId'. This vulnerability allows an attacker to remotely exploit the system without requiring user interaction or elevated privileges beyond low-level privileges (PR:L). The improper authorization means that an attacker can potentially transfer ownership of CRM contacts without proper permissions, leading to unauthorized access or modification of sensitive customer relationship data. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vendor has not responded to early disclosure attempts, and no patches or mitigations have been published yet. Although no known exploits are currently in the wild, a proof-of-concept exploit has been published, increasing the risk of exploitation.

For European organizations using YunaiV ruoyi-vue-pro, particularly those managing CRM data, this vulnerability poses a risk of unauthorized data manipulation and potential data breaches. Improper authorization in contact transfer functionality could allow attackers to hijack or reassign customer contacts, leading to data integrity issues, unauthorized data access, and potential compliance violations under GDPR due to mishandling of personal data. The impact on confidentiality and integrity, although rated low individually, can be significant when combined with other vulnerabilities or insider threats. Additionally, unauthorized contact transfers could disrupt business operations, sales processes, and customer trust. Since the attack can be performed remotely without user interaction, organizations face a higher risk of automated or targeted attacks. The lack of vendor response and absence of patches further exacerbate the threat landscape for affected European entities.

European organizations should immediately audit their use of YunaiV ruoyi-vue-pro, focusing on the /crm/contact/transfer functionality. Until an official patch is released, organizations should implement strict network segmentation and access controls to limit exposure of the vulnerable endpoint to trusted internal networks only. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious parameter manipulation attempts targeting 'ids' and 'newOwnerUserId'. Conduct thorough logging and monitoring of CRM contact transfer activities to detect anomalous behavior indicative of exploitation attempts. Additionally, enforce the principle of least privilege for all users interacting with the CRM system, ensuring that only authorized personnel can perform contact transfers. Organizations should also engage with the vendor for updates and consider temporary disabling or restricting the vulnerable functionality if feasible. Finally, prepare incident response plans specific to potential exploitation scenarios involving unauthorized data transfers.