CVE-2025-45618 is a medium-severity vulnerability identified in the component /admin/sys/datasource/ajaxList of the jeeweb-mybatis-springboot framework version 0.0.1.RELEASE. The vulnerability stems from incorrect access control (CWE-284), which allows an attacker with some level of privileges (PR:L - privileges required) but no user interaction (UI:N) to access sensitive information by sending a crafted payload over the network (AV:N - network attack vector). The vulnerability does not impact integrity or availability but compromises confidentiality (C:H). The CVSS 3.1 base score is 6.5, reflecting a moderate risk. The flaw allows unauthorized access to sensitive data due to insufficient enforcement of access control policies on the ajaxList endpoint, potentially exposing internal system or application data that should be restricted. Although the affected product and vendor details are not specified, the vulnerability affects a component commonly used in Java Spring Boot applications integrated with MyBatis, which is a popular persistence framework. No patches or known exploits in the wild have been reported as of the publication date (May 5, 2025).

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information, which can lead to data breaches, regulatory non-compliance (e.g., GDPR), and reputational damage. Since the vulnerability requires some level of privileges, attackers might exploit it after gaining limited access, such as through compromised credentials or insider threats. The exposure of sensitive data could include configuration details, user information, or internal system data, which could be leveraged for further attacks or espionage. Organizations in sectors with high data sensitivity, such as finance, healthcare, and government, are particularly at risk. The network-based attack vector means that attackers can exploit this remotely, increasing the threat surface. The lack of user interaction requirement facilitates automated exploitation attempts once access is obtained.

European organizations should first identify if they use the jeeweb-mybatis-springboot framework, particularly version 0.0.1.RELEASE or any other versions that might be affected. Since no official patches are currently available, organizations should implement strict network segmentation and access controls to limit access to the /admin/sys/datasource/ajaxList endpoint only to trusted and authenticated users with a need-to-know basis. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this endpoint can reduce exploitation risk. Conduct thorough privilege audits to ensure minimal necessary privileges are assigned to users and services interacting with this component. Monitoring and logging access to sensitive endpoints should be enhanced to detect anomalous activities promptly. Organizations should also engage with the vendor or open-source community for updates or patches and plan for timely application once available. Finally, penetration testing and code review focusing on access control mechanisms in the affected component can help identify and remediate similar issues proactively.