CVE-2025-10989 is a medium-severity security vulnerability affecting yangzongzhuan RuoYi versions up to 4.8.1. The flaw exists in the authorization logic of the endpoint /system/role/authUser/selectAll, where manipulation of the userIds argument allows an attacker to bypass proper authorization controls. This improper authorization vulnerability enables a remote attacker to potentially access or manipulate data or functions that should be restricted. The vulnerability does not require user interaction and can be exploited remotely with low attack complexity, but it does require some level of privileges (PR:L) indicating that the attacker must have limited privileges on the system. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects network attack vector, low complexity, no user interaction, and partial impacts on confidentiality, integrity, and availability. The vendor has not responded to the disclosure, and no official patches have been released yet. Although no known exploits in the wild have been reported, a public exploit is available, increasing the risk of exploitation. The vulnerability could allow unauthorized access to user role data or unauthorized privilege escalation within the RuoYi system, potentially leading to data exposure or unauthorized administrative actions.

For European organizations using yangzongzhuan RuoYi, this vulnerability poses a risk of unauthorized access to sensitive role and user authorization data, which could lead to privilege escalation or unauthorized administrative control within applications relying on RuoYi. This can compromise the confidentiality and integrity of user data and system configurations, potentially disrupting business operations or enabling further attacks. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face compliance risks if unauthorized access leads to data breaches. The lack of vendor response and patches increases exposure time, making timely mitigation critical. The medium severity rating suggests a moderate impact, but the availability of a public exploit means attackers could leverage this vulnerability to gain footholds or move laterally within networks.

European organizations should immediately audit their use of yangzongzhuan RuoYi, specifically versions 4.8.0 and 4.8.1, and restrict access to the /system/role/authUser/selectAll endpoint to trusted administrators only. Implement network-level controls such as IP whitelisting and VPN access to limit exposure of the vulnerable service. Conduct thorough privilege reviews to ensure users have the minimum necessary permissions, reducing the risk posed by compromised accounts. Monitor logs for unusual access patterns or attempts to manipulate userIds parameters. If possible, implement application-layer WAF (Web Application Firewall) rules to detect and block suspicious requests targeting this endpoint. Organizations should also consider isolating RuoYi instances from critical infrastructure until a vendor patch or official fix is available. Engage with the vendor or community for updates and apply patches promptly once released. Finally, conduct internal penetration testing to verify the effectiveness of mitigations.