CVE-2025-46174 identifies an Incorrect Access Control vulnerability in Ruoyi version 4.8.0, specifically within the resetPwd method of the SysUserController.java component. The root cause is a missing checkUserDataScope permission verification, which should restrict password reset capabilities to authorized users only. Due to this omission, an unauthenticated attacker can invoke the resetPwd method to reset passwords of arbitrary users without any permission checks. This vulnerability falls under CWE-284 (Improper Access Control). The CVSS v3.1 base score is 7.5, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity (I:N) or availability (A:N). The vulnerability was reserved in April 2025 and published in November 2025. No patches or known exploits are currently available, but the lack of authentication and permission checks makes exploitation straightforward. This flaw could allow attackers to gain unauthorized access to user accounts by resetting passwords, potentially leading to data breaches or further lateral movement within affected environments.

For European organizations, the primary impact is the unauthorized disclosure of sensitive user credentials and potential account takeover, which compromises confidentiality. Attackers exploiting this vulnerability can reset passwords of any user, including privileged accounts, leading to unauthorized access to internal systems and sensitive data. This could result in data breaches, intellectual property theft, and disruption of business operations. Since the vulnerability does not affect integrity or availability directly, the main concern is unauthorized access and data exposure. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Ruoyi or its customized versions face elevated risks. The absence of required privileges and user interaction lowers the barrier for exploitation, increasing the likelihood of attacks if the vulnerability is not remediated promptly.

1. Immediately review and update the resetPwd method in SysUserController.java to include proper checkUserDataScope permission verification to ensure only authorized users can reset passwords. 2. Implement additional access control layers such as role-based access control (RBAC) and multi-factor authentication (MFA) for password reset operations. 3. Conduct a thorough audit of all password reset functionalities across the application to identify and fix similar access control issues. 4. Monitor logs for unusual password reset activities or spikes in reset requests, especially from unauthenticated sources. 5. Restrict network access to administrative interfaces and sensitive endpoints using network segmentation and firewall rules. 6. Educate developers on secure coding practices focusing on access control to prevent recurrence. 7. If possible, apply vendor patches or updates once available and test them in a controlled environment before deployment. 8. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block unauthorized resetPwd method invocations until a patch is applied.