Login Sign Up

CVE-2025-10674

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2025-10674 is an improper authorization vulnerability in the fuyang_lipengjun platform 1.0 that allows attackers to access the /attributecategory/queryAll endpoint without proper permissions. This affects all users running version 1.0 of the platform and can be exploited remotely.

💻 Affected Systems

Products:
  • fuyang_lipengjun platform
Versions: 1.0
Operating Systems: Any OS running the platform
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable by default.

📦 What is this software?

Platform by Fuyang Lipengjun

View all CVEs affecting Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive attribute category data, potentially leading to information disclosure or unauthorized data manipulation.

🟠

Likely Case

Unauthorized access to attribute category information, potentially exposing internal data structures or configuration details.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and the exploit is publicly available.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to gain unauthorized access to system data.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

The exploit is publicly available and described in blog posts, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement Access Control

all

Add proper authorization checks to the AttributeCategoryController and /attributecategory/queryAll endpoint

Implement role-based access control (RBAC) or similar authorization mechanism

Network Segmentation

all

Restrict network access to the vulnerable endpoint

Configure firewall rules to limit access to /attributecategory/queryAll endpoint

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block unauthorized access to the vulnerable endpoint
  • Monitor access logs for suspicious activity targeting /attributecategory/queryAll

🔍 How to Verify

Check if Vulnerable:

Check if running fuyang_lipengjun platform version 1.0 and test if /attributecategory/queryAll endpoint is accessible without proper authorization

Check Version:

Check application configuration files or documentation for version information

Verify Fix Applied:

Test that /attributecategory/queryAll endpoint now requires proper authentication and authorization

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /attributecategory/queryAll
  • Multiple failed authorization attempts

Network Indicators:

  • Unusual traffic patterns to /attributecategory/queryAll endpoint
  • Requests bypassing authentication

SIEM Query:

source_ip=* AND uri_path="/attributecategory/queryAll" AND (auth_status="failed" OR auth_status="none")

📊 Metadata

CVE ID: CVE-2025-10674
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-266
EPSS Score: 0.02% exploit probability (5.2th percentile)
Published: September 18, 2025
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10674, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)