CVE-2025-15121 is a medium severity information disclosure vulnerability identified in JeecgBoot, an open-source low-code development platform widely used for enterprise applications. The flaw resides in the getDeptRoleByUserId function located at /sys/sysDepartRole/getDeptRoleByUserId, where improper handling of the departId parameter allows an attacker with high privileges to manipulate the argument and retrieve sensitive information related to department roles. The vulnerability does not require user interaction and does not impact confidentiality beyond the disclosed information, nor does it affect integrity or availability. The CVSS 4.0 vector indicates the attack requires adjacent network access (AV:A), low attack complexity (AC:L), no privileges required (PR:H means high privileges are required, so this is a discrepancy to clarify: PR:H means privileges are required), no user interaction (UI:N), and limited confidentiality impact (VC:L). The vendor has not issued a patch or responded to disclosure, and no exploits have been observed in the wild. This vulnerability could be leveraged in insider threat scenarios or by attackers who have already gained elevated access, to further enumerate organizational role and department structures, potentially aiding in lateral movement or privilege escalation planning.

For European organizations, the primary impact of CVE-2025-15121 is unauthorized disclosure of internal role and department information, which could facilitate targeted attacks such as spear phishing, social engineering, or lateral movement within networks. Although exploitation requires high privileges, the exposure of organizational structure details can weaken security postures by revealing sensitive internal mappings. This is particularly critical for sectors with stringent data protection requirements, such as finance, healthcare, and government institutions. The lack of vendor response and patch availability increases the risk window. Organizations relying on JeecgBoot for internal management systems may face compliance risks under GDPR if sensitive personal or organizational data is disclosed. The limited scope and medium severity reduce the likelihood of widespread disruption but do not eliminate the risk of targeted attacks leveraging this information.

European organizations should immediately audit access controls for the /sys/sysDepartRole/getDeptRoleByUserId endpoint, ensuring that only authorized users with a legitimate need can invoke this function. Implement strict input validation and sanitization on the departId parameter to prevent manipulation. Employ network segmentation and monitoring to detect unusual access patterns indicative of exploitation attempts. Since no official patch is available, consider applying temporary compensating controls such as disabling the vulnerable endpoint if feasible or restricting it via firewall rules. Maintain up-to-date logs and conduct regular security reviews of user privileges to minimize the risk of privilege abuse. Engage with the JeecgBoot community or vendors for updates and patches, and plan for prompt application once released. Additionally, educate internal users about the risks of privilege misuse and enforce the principle of least privilege.