CVE-2025-10822 – CVE-2025-10822 is an improper authorization vul... (How to Fix)

Q: What is the severity of CVE-2025-10822?

CVE-2025-10822 has a CVSS score of 4.3 (MEDIUM). CVE-2025-10822 is an improper authorization vulnerability in the fuyang_lipengjun platform 1.0 that allows unauthorized access to SMS log data via the SysSmsLogController function. Attackers can remotely exploit this to view sensitive SMS logs without proper authentication. Organizations using fuyang_lipengjun platform 1.0 are affected.

📋 TL;DR

CVE-2025-10822 is an improper authorization vulnerability in the fuyang_lipengjun platform 1.0 that allows unauthorized access to SMS log data via the SysSmsLogController function. Attackers can remotely exploit this to view sensitive SMS logs without proper authentication. Organizations using fuyang_lipengjun platform 1.0 are affected.

💻 Affected Systems

Products:

fuyang_lipengjun platform

Versions: 1.0

Operating Systems: Any OS running the platform

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default. The vulnerability is in the /sys/smslog/queryAll endpoint.

📦 What is this software?

Platform by Fuyang Lipengjun

View all CVEs affecting Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all SMS log data including potentially sensitive user information, message contents, and metadata to unauthorized parties.

🟠

Likely Case

Unauthorized viewing of SMS logs containing user phone numbers, timestamps, and potentially message content or metadata.

🟢

If Mitigated

Limited to no impact if proper authentication and authorization controls are implemented and enforced.

🌐 Internet-Facing: HIGH - Attack can be performed remotely and exploit is publicly disclosed.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit has been publicly disclosed and requires some authentication but bypasses authorization checks. Attackers need some level of access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - check vendor for updated version

Vendor Advisory: Not available - check project repository or maintainer

Restart Required: No

Instructions:

1. Contact the fuyang_lipengjun platform maintainers for patch information. 2. Apply any available security updates. 3. Review and update authorization logic for SysSmsLogController.

🔧 Temporary Workarounds

Access Control Restriction

all

Implement proper authorization checks before allowing access to SMS log data

Implement role-based access control for /sys/smslog/queryAll endpoint

Network Segmentation

all

Restrict network access to the vulnerable endpoint

Configure firewall rules to limit access to /sys/smslog/* paths

🧯 If You Can't Patch

Implement strict authentication and authorization middleware for all sensitive endpoints
Monitor access to /sys/smslog/queryAll endpoint and alert on unauthorized attempts

🔍 How to Verify

Check if Vulnerable:

Test if unauthorized users can access /sys/smslog/queryAll endpoint and retrieve SMS log data

Check Version:

Check platform configuration files or admin interface for version information

Verify Fix Applied:

Verify that proper authorization checks are enforced before allowing access to SMS log data

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /sys/smslog/queryAll
Multiple failed authentication attempts followed by successful SMS log access

Network Indicators:

Unusual traffic patterns to SMS log endpoints
Requests to /sys/smslog/queryAll from unauthorized IPs

SIEM Query:

source="web_logs" AND (uri="/sys/smslog/queryAll" OR uri="/sys/smslog/*") AND (user="unauthorized" OR auth_status="failed")

📊 Metadata

CVE ID: CVE-2025-10822

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.04% exploit probability (12.7th percentile)

Published: September 23, 2025

Last Updated: October 3, 2025

🔗 References

https://vuldb.com/?ctiid.325179 Permissions Required,VDB Entry
https://vuldb.com/?id.325179 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.653743 Third Party Advisory,VDB Entry
https://www.cnblogs.com/aibot/p/19063462 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10822, you might also want to check these: