CVE-2025-10674 is a medium-severity vulnerability identified in version 1.0 of the fuyang_lipengjun platform. The flaw exists in the AttributeCategoryController component, specifically within the /attributecategory/queryAll endpoint. This vulnerability results from improper authorization controls, allowing an attacker to remotely manipulate requests to access or query data without sufficient permission checks. The vulnerability does not require user interaction and can be exploited remotely without authentication, indicating that the affected endpoint lacks proper access control validation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P) suggests that the attack vector is network-based, with low attack complexity, no user interaction, and requires low privileges (PR:L). The impact on confidentiality is low, with no impact on integrity or availability, indicating that the attacker may gain unauthorized read access to certain data categories but cannot modify or disrupt the system. Although no patches are currently linked, a public exploit exists, increasing the risk of exploitation. The vulnerability is published and reserved on the same day, indicating recent discovery and disclosure. The lack of known exploits in the wild suggests limited active exploitation at this time, but the availability of a public exploit could change this rapidly.

For European organizations using the fuyang_lipengjun platform version 1.0, this vulnerability poses a risk of unauthorized data disclosure due to improper authorization controls. Although the impact on confidentiality is low, unauthorized access to attribute category data could expose sensitive business or operational information, potentially aiding further attacks or corporate espionage. The lack of impact on integrity and availability reduces the risk of system disruption or data tampering. However, the fact that exploitation requires only low privileges and no user interaction means that insider threats or compromised low-privilege accounts could leverage this vulnerability to escalate data access. Organizations in regulated sectors such as finance, healthcare, or critical infrastructure in Europe may face compliance risks if unauthorized data access leads to breaches of GDPR or other data protection laws. Additionally, the presence of a public exploit increases the urgency for mitigation to prevent opportunistic attackers from leveraging this vulnerability.

European organizations should immediately assess their deployment of the fuyang_lipengjun platform to identify instances running version 1.0. Since no official patch links are currently available, organizations should implement compensating controls such as restricting network access to the /attributecategory/queryAll endpoint through firewall rules or web application firewalls (WAFs) to limit exposure to trusted internal IPs only. Conduct thorough access control reviews to ensure that authorization checks are correctly enforced at the application level, potentially by adding custom authorization middleware or filters. Monitor logs for unusual access patterns to the affected endpoint, especially from low-privilege accounts or external sources. If possible, upgrade to a later version of the platform once a patch is released. Additionally, implement strict privilege management to minimize the number of users with low-level privileges that could exploit this vulnerability. Regularly update threat intelligence feeds to track any emerging exploits in the wild and adjust defenses accordingly.