CVE-2025-66736 identifies an Incorrect Access Control vulnerability in youlai-boot version 2.21.1, specifically within the importUsers function of the SysUserController.java component. The core issue is the absence of a permission check verifying the identity and authorization level of the user attempting to import user data. This omission allows any authenticated user, even those with minimal privileges, to invoke this function and import arbitrary user data into the system's database. Such unauthorized imports can lead to privilege escalation, unauthorized account creation, or manipulation of existing user records, severely compromising the integrity of the user management system. The vulnerability is remotely exploitable over the network without requiring user interaction, increasing its risk profile. The CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) indicates that while the attacker needs some privileges, the attack complexity is low, and the impact on integrity is high, with limited confidentiality impact and no availability impact. The vulnerability is classified under CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization). No patches or known exploits are currently reported, but the vulnerability's nature suggests that exploitation could facilitate unauthorized administrative actions or data corruption within affected systems.

For European organizations, the impact of CVE-2025-66736 can be significant, particularly for those relying on youlai-boot for user management or identity services. Unauthorized user data imports can lead to privilege escalation, allowing attackers to gain administrative access or create backdoor accounts, undermining system integrity and trust. This can facilitate further lateral movement, data breaches, or sabotage within enterprise environments. The lack of availability impact means systems remain operational, potentially masking the presence of an attacker. Sectors such as finance, healthcare, government, and critical infrastructure, which require strict access controls and user management, are especially vulnerable. The breach of user data integrity can also lead to regulatory non-compliance under GDPR, resulting in legal and financial penalties. Given the remote exploitability and no need for user interaction, attackers can automate exploitation at scale, increasing the threat surface for European entities.

To mitigate CVE-2025-66736, organizations should immediately audit the importUsers function and ensure that robust permission checks are implemented to verify the invoking user's authorization before processing any user data imports. This includes enforcing role-based access control (RBAC) policies that restrict this function to trusted administrative roles only. Conduct thorough code reviews and penetration testing focused on access control mechanisms within youlai-boot components. If possible, apply vendor patches or updates once released. In the interim, restrict network access to the affected service to trusted administrators and monitor logs for unusual import activity or privilege escalations. Employ anomaly detection systems to flag unexpected user import operations. Additionally, enforce multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of compromised credentials being exploited. Finally, maintain regular backups of user data to enable recovery in case of unauthorized modifications.