CVE-2025-10987 is a medium-severity vulnerability affecting the YunaiV yudao-cloud product, specifically versions up to 2025.09. The vulnerability resides in the HTTP Request Handler component, within the /crm/contact/transfer functionality. It involves improper authorization due to manipulation of the contactId argument. This flaw allows an attacker to remotely initiate unauthorized actions related to contact transfer operations without proper permission checks. The vulnerability does not require user interaction and can be exploited over the network with low attack complexity and no privileges required, though some level of limited privileges (PR:L) is indicated by the CVSS vector. The impact on confidentiality, integrity, and availability is limited but present, as unauthorized access to contact transfer operations could lead to unauthorized data manipulation or exposure within the CRM module. The vendor was notified but has not responded or provided a patch, and while the exploit has been publicly disclosed, there are no known exploits in the wild at this time. The CVSS 4.0 base score is 5.3, reflecting a medium severity level due to the combination of network attack vector, low complexity, no user interaction, and limited impact on system security properties.

For European organizations using YunaiV yudao-cloud, particularly those relying on the CRM/contact management features, this vulnerability poses a risk of unauthorized data manipulation or unauthorized transfer of contact information. This could lead to data integrity issues, potential data leakage, and disruption of customer relationship management processes. Organizations in sectors such as finance, healthcare, and public administration, where contact data is sensitive and regulated under GDPR, may face compliance risks and reputational damage if this vulnerability is exploited. The lack of vendor response and patch availability increases the window of exposure. Attackers could leverage this vulnerability to escalate privileges within the CRM system or pivot to other internal systems if the compromised contact data is used for further social engineering or lateral movement.

Given the absence of an official patch, European organizations should implement compensating controls immediately. These include: 1) Restricting network access to the yudao-cloud CRM module to trusted IP addresses and internal networks only, using firewalls or network segmentation. 2) Implementing strict monitoring and logging of all /crm/contact/transfer requests to detect anomalous or unauthorized activity. 3) Applying application-layer access controls or web application firewalls (WAFs) to validate and sanitize the contactId parameter and block suspicious requests. 4) Conducting regular audits of user permissions and roles within yudao-cloud to minimize privilege levels and reduce attack surface. 5) Preparing incident response plans specific to this vulnerability, including rapid isolation of affected systems if exploitation is detected. 6) Engaging with the vendor for updates and considering alternative CRM solutions if the vendor remains unresponsive. Once a patch is released, prioritize immediate deployment.