CVE-2025-15086 identifies an improper access control vulnerability in the youlaitech youlai-mall e-commerce platform, specifically affecting versions 1.0.0 and 2.0.0. The vulnerability resides in the getMemberByMobile function located in the mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java file. This function is responsible for retrieving member information based on a mobile number. Due to insufficient access control checks, an attacker can remotely invoke this function to access member data without proper authorization. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation (attack vector: network), low attack complexity, and no privileges or user interaction needed. The vulnerability impacts confidentiality by potentially exposing sensitive member information but does not affect integrity or availability. The vendor was notified but has not issued a patch or response, and a public exploit is available, raising the urgency for mitigation. No known active exploitation in the wild has been reported yet.

For European organizations using youlai-mall versions 1.0.0 or 2.0.0, this vulnerability poses a risk of unauthorized disclosure of member data, including potentially sensitive personal information linked to mobile numbers. This could lead to privacy violations under GDPR, resulting in regulatory penalties and reputational damage. E-commerce platforms are critical for customer trust and business continuity; unauthorized data access could also facilitate further attacks such as phishing or identity theft. The lack of vendor response and public exploit availability increase the risk of exploitation by opportunistic attackers. Organizations relying on youlai-mall for customer management or sales may face operational disruptions if attackers leverage this vulnerability to extract or manipulate user data. The impact is primarily on confidentiality, but indirect effects on business integrity and customer trust are significant.

Given the absence of an official patch, European organizations should implement immediate compensating controls. These include restricting network access to the affected getMemberByMobile API endpoint using firewalls or API gateways, enforcing strict authentication and authorization checks at the application or proxy level, and monitoring logs for unusual access patterns to this function. Organizations should conduct code reviews and, if possible, apply custom patches to enforce proper access controls in the affected function. Additionally, sensitive data exposure can be minimized by masking or encrypting member data fields. Regular vulnerability scanning and penetration testing should be conducted to detect exploitation attempts. Organizations should also prepare incident response plans specific to this vulnerability and engage with the vendor for updates. Finally, consider migrating to alternative platforms or updated versions once available.