CVE-2025-10288 is a medium-severity vulnerability affecting the roncoo-pay product developed by roncoo. The vulnerability arises from improper authentication in an unspecified function related to the /user/info/list endpoint. Due to this flaw, an attacker can remotely manipulate requests to bypass authentication controls without requiring any privileges or user interaction. The product uses a rolling release model, which complicates version tracking and patch availability. The vendor has not responded to early disclosure attempts, and no patches or updates have been made publicly available. The CVSS 4.0 base score is 6.9, reflecting a network attack vector with low complexity, no privileges or user interaction required, and limited impact confined to confidentiality. The vulnerability allows unauthorized access to user information, potentially exposing sensitive data. Although no known exploits are currently active in the wild, the public disclosure of the exploit code increases the risk of exploitation. The lack of authentication enforcement on a user information listing endpoint represents a significant security weakness that could be leveraged for reconnaissance or further attacks within affected environments.

For European organizations using roncoo-pay, this vulnerability could lead to unauthorized disclosure of user data, violating data protection regulations such as GDPR. Exposure of user information can result in privacy breaches, reputational damage, and potential legal consequences. Since the vulnerability allows remote exploitation without authentication, attackers could systematically harvest user data or gain footholds for lateral movement within networks. Financial institutions or e-commerce platforms relying on roncoo-pay for payment processing may face increased fraud risk or operational disruptions. The continuous delivery model without clear patching timelines complicates timely remediation, increasing exposure windows. Organizations with sensitive or regulated data are particularly at risk, as improper authentication undermines trust in access controls and may facilitate further exploitation or data exfiltration.

Given the absence of vendor patches, European organizations should implement compensating controls immediately. These include restricting access to the /user/info/list endpoint via network segmentation or firewall rules to trusted IP addresses only. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block anomalous requests targeting this endpoint. Conduct thorough access log monitoring to identify suspicious access patterns or repeated unauthorized attempts. Implement strict authentication and authorization checks at the application layer if source code or configuration access is available, potentially disabling or restricting the vulnerable functionality until a patch is released. Engage with the vendor for updates and consider alternative payment solutions if risk tolerance is low. Additionally, ensure that incident response plans are updated to address potential exploitation scenarios involving this vulnerability.