CVE-2025-10278
📋 TL;DR
This vulnerability allows unauthorized contact transfer in YunaiV ruoyi-vue-pro CRM systems. Attackers can remotely manipulate contact ownership without proper authorization checks. Organizations using ruoyi-vue-pro up to 2025.09 are affected.
💻 Affected Systems
- YunaiV ruoyi-vue-pro
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could transfer all CRM contacts to unauthorized users, causing complete data integrity loss and business disruption.
Likely Case
Selective contact transfer to malicious actors, leading to data theft, privacy violations, and operational confusion.
If Mitigated
Limited impact with proper network segmentation and monitoring, though authorization bypass remains possible.
🎯 Exploit Status
Exploit details are published on vulnerability databases and blogs, making exploitation straightforward for attackers with basic knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: None - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Consider upgrading to versions after 2025.09 if available, or implement workarounds.
🔧 Temporary Workarounds
Disable contact transfer endpoint
allTemporarily disable the vulnerable /crm/contact/transfer endpoint
# Configure web server or application firewall to block /crm/contact/transfer
Implement additional authorization layer
allAdd server-side authorization checks before processing contact transfers
# Modify application code to validate user permissions for contact transfer operations
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the application
- Enable detailed logging and monitoring for contact transfer activities
🔍 How to Verify
Check if Vulnerable:
Check if application version is ruoyi-vue-pro 2025.09 or earlier and has /crm/contact/transfer endpoint accessibleCheck Version:
# Check application version in configuration files or admin interfaceVerify Fix Applied:
Test contact transfer functionality with unauthorized users - should be denied📡 Detection & Monitoring
Log Indicators:
- Unauthorized POST requests to /crm/contact/transfer
- Contact ownership changes from unexpected users
Network Indicators:
- HTTP POST requests to /crm/contact/transfer with manipulated parameters
SIEM Query:
web.url:*crm/contact/transfer AND http.method:POST AND NOT user.role:authorized