CVE-2025-15086 identifies a security weakness in the youlaitech youlai-mall e-commerce platform, specifically versions 1.0.0 and 2.0.0. The vulnerability resides in the getMemberByMobile function of the MemberController.java source file, which is responsible for retrieving member information based on a mobile number. Due to improper access control implementation, remote attackers can invoke this function without proper authorization, potentially accessing sensitive member data. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely over the network. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L, interpreted as low privileges), no user interaction (UI:N), and low impact on confidentiality (VC:L) with no impact on integrity or availability. The exploit code has been publicly disclosed, increasing the risk of exploitation, although no active exploitation has been reported. The vendor was notified early but has not issued any patches or advisories, leaving users exposed. This vulnerability could allow unauthorized data disclosure of member information, which may include personally identifiable information (PII) or other sensitive data, depending on the implementation of the affected function.

For European organizations using youlai-mall versions 1.0.0 or 2.0.0, this vulnerability poses a risk of unauthorized access to member data, potentially leading to data breaches involving PII. Such breaches could result in regulatory penalties under GDPR due to inadequate protection of personal data. The improper access control could undermine customer trust and damage brand reputation. Although the impact on integrity and availability is minimal, the confidentiality breach alone is significant in sectors handling sensitive customer information, such as retail, finance, or healthcare. The public availability of exploit code increases the likelihood of opportunistic attacks, especially against organizations that have not applied mitigations or workarounds. The absence of vendor patches means organizations must rely on internal controls and monitoring to reduce risk. Additionally, attackers exploiting this vulnerability could use accessed data for further attacks, including social engineering or identity theft, amplifying the overall impact.

Since no official patches are available from the vendor, European organizations should implement compensating controls immediately. These include restricting network access to the affected API endpoints via firewalls or API gateways, limiting exposure to trusted internal networks only. Implement strict authentication and authorization checks at the application or proxy level to ensure only authorized users can invoke getMemberByMobile or similar functions. Conduct thorough code reviews and, if possible, apply custom patches or overrides to enforce proper access controls. Monitor logs and network traffic for unusual access patterns targeting member data retrieval functions. Employ Web Application Firewalls (WAFs) with rules designed to detect and block exploitation attempts against this endpoint. Educate development teams to prioritize upgrading or replacing youlai-mall versions once vendor patches become available. Finally, prepare incident response plans to quickly address any potential data breach resulting from exploitation.