CVE-2025-10287 is a vulnerability identified in the roncoo-pay product developed by roncoo. The flaw exists in an unspecified function within the /auth/orderQuery endpoint, where manipulation of the orderNo parameter allows an attacker to perform a "direct request" attack. This suggests that the application does not properly validate or authorize requests based on the orderNo argument, potentially enabling unauthorized access or actions related to order queries. The vulnerability can be exploited remotely without user interaction, but requires a low level of privileges (PR:L) and has a high complexity (AC:H), meaning exploitation is difficult and likely requires specific conditions or knowledge. The CVSS 4.0 base score is 2.3, indicating a low severity impact primarily due to limited confidentiality impact and no integrity or availability impact. The vendor uses a rolling release system, so no specific version numbers are provided beyond a commit hash, and no patches or vendor responses have been disclosed. No known exploits are currently active in the wild. The vulnerability was publicly disclosed shortly after being reserved, but the vendor has not responded to the disclosure. Overall, this vulnerability represents a low-severity risk involving insufficient authorization checks on order queries that could allow limited unauthorized data access or information disclosure under complex exploitation conditions.

For European organizations using roncoo-pay, the direct request vulnerability could lead to unauthorized access to order information if exploited. Although the impact is low severity, it could expose sensitive transactional data or customer order details, potentially violating data protection regulations such as GDPR. The lack of vendor response and absence of patches increases the risk of exploitation over time, especially in environments where roncoo-pay is integrated with critical payment or order processing systems. However, the high complexity and difficulty of exploitation reduce the likelihood of widespread attacks. The vulnerability does not affect system integrity or availability, so operational disruption is unlikely. Still, unauthorized data exposure could harm customer trust and compliance posture. Organizations should assess their use of roncoo-pay, especially in payment processing or e-commerce contexts, and consider the risk of indirect data leakage or privacy breaches.

Given the absence of vendor patches or updates, European organizations should implement compensating controls to mitigate this vulnerability. These include: 1) Implement strict access control and authorization checks at the application or API gateway level to validate orderNo requests against authenticated user permissions. 2) Monitor and log all access to the /auth/orderQuery endpoint for anomalous or unauthorized requests to detect potential exploitation attempts. 3) Employ network segmentation and firewall rules to restrict external access to the vulnerable endpoint where possible. 4) Conduct internal code reviews or penetration tests focusing on order query functionality to identify and remediate similar authorization weaknesses. 5) If feasible, replace or isolate the roncoo-pay component until a vendor patch or update is available. 6) Educate development and security teams about the risks of direct object reference and enforce secure coding practices to prevent similar vulnerabilities. These targeted measures go beyond generic advice by focusing on access validation, monitoring, and isolation specific to the vulnerable endpoint and parameter.