CVE-2025-10086 – CVE-2025-10086 is an improper authorization vul... (How to Fix)

Q: What is the severity of CVE-2025-10086?

CVE-2025-10086 has a CVSS score of 6.3 (MEDIUM). CVE-2025-10086 is an improper authorization vulnerability in the fuyang_lipengjun platform 1.0.0 that allows remote attackers to access unauthorized functionality via the queryAll function in the AdPositionController component. This affects organizations using this specific version of the platform. The vulnerability is distinct from CVE-2025-9936 but affects the same software.

📋 TL;DR

CVE-2025-10086 is an improper authorization vulnerability in the fuyang_lipengjun platform 1.0.0 that allows remote attackers to access unauthorized functionality via the queryAll function in the AdPositionController component. This affects organizations using this specific version of the platform. The vulnerability is distinct from CVE-2025-9936 but affects the same software.

💻 Affected Systems

Products:

fuyang_lipengjun platform

Versions: 1.0.0

Operating Systems: Any OS running the platform

Default Config Vulnerable: ⚠️ Yes

Notes: Only version 1.0.0 is confirmed affected. The vulnerability is in the AdPositionController component.

📦 What is this software?

Platform by Fuyang Lipengjun

View all CVEs affecting Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive administrative functions, modify system configurations, or extract confidential data without proper authentication.

🟠

Likely Case

Unauthorized access to administrative interfaces leading to information disclosure or limited system manipulation.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the specific vulnerable component.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details are publicly available according to references. Attack requires remote access but may need some authentication bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version >1.0.0 (check vendor for specific version)

Vendor Advisory: Not specified in provided references

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. Backup current installation. 3. Apply the patch or upgrade to fixed version. 4. Verify authorization controls are properly implemented.

🔧 Temporary Workarounds

Network Access Restriction

Linux

Restrict access to the vulnerable /adposition/queryAll endpoint using network controls

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable system
Deploy web application firewall (WAF) rules to block unauthorized access to /adposition/queryAll endpoint

🔍 How to Verify

Check if Vulnerable:

Check if running fuyang_lipengjun platform version 1.0.0 and test access to /adposition/queryAll endpoint without proper authorization

Check Version:

Check application configuration files or admin interface for version information

Verify Fix Applied:

After patching, verify that unauthorized access to /adposition/queryAll endpoint is properly blocked

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /adposition/queryAll
Multiple failed authorization attempts followed by successful queryAll access

Network Indicators:

Unusual traffic patterns to /adposition/queryAll endpoint
Requests bypassing normal authentication flows

SIEM Query:

source="web_logs" AND (uri="/adposition/queryAll" AND NOT user="authorized_user")

📊 Metadata

CVE ID: CVE-2025-10086

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: September 8, 2025

Last Updated: October 9, 2025

🔗 References

https://vuldb.com/?ctiid.323042 Permissions Required,VDB Entry
https://vuldb.com/?id.323042 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.644661 Third Party Advisory,VDB Entry
https://www.cnblogs.com/aibot/p/19063427 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10086, you might also want to check these: