CVE-2025-10988 – This vulnerability allows unauthorized access t... (How to Fix)

Q: What is the severity of CVE-2025-10988?

CVE-2025-10988 has a CVSS score of 6.3 (MEDIUM). This vulnerability allows unauthorized access to the business transfer functionality in YunaiV ruoyi-vue-pro CRM systems. Attackers can remotely exploit this improper authorization flaw to perform unauthorized actions. All deployments of ruoyi-vue-pro up to version 2025.09 are affected.

📋 TL;DR

This vulnerability allows unauthorized access to the business transfer functionality in YunaiV ruoyi-vue-pro CRM systems. Attackers can remotely exploit this improper authorization flaw to perform unauthorized actions. All deployments of ruoyi-vue-pro up to version 2025.09 are affected.

💻 Affected Systems

Products:

YunaiV ruoyi-vue-pro

Versions: up to 2025.09

Operating Systems: Any OS running the application

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /crm/business/transfer endpoint. All deployments with this endpoint exposed are vulnerable.

📦 What is this software?

Ruoyi Vue Pro by Iocoder

View all CVEs affecting Ruoyi Vue Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of CRM business transfer functionality allowing unauthorized data manipulation, financial fraud, or business logic disruption.

🟠

Likely Case

Unauthorized access to sensitive business transfer operations, potentially leading to data exposure or unauthorized business process modifications.

🟢

If Mitigated

Limited impact with proper authentication and authorization controls, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH - Attack can be launched remotely and exploit is publicly available.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but external threat is higher due to remote nature.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit is publicly available according to references. Requires some understanding of the application's business logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor did not respond to disclosure

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any version after 2025.09 if available, or implement workarounds.

🔧 Temporary Workarounds

Access Control Restriction

all

Implement strict authorization checks for the /crm/business/transfer endpoint

Endpoint Disablement

all

Temporarily disable or restrict access to the vulnerable endpoint

🧯 If You Can't Patch

Implement network segmentation to restrict access to the vulnerable endpoint
Deploy WAF rules to detect and block unauthorized access attempts to /crm/business/transfer

🔍 How to Verify

Check if Vulnerable:

Check if your ruoyi-vue-pro version is 2025.09 or earlier and has the /crm/business/transfer endpoint accessible

Check Version:

Check application version in package.json or build configuration

Verify Fix Applied:

Test authorization controls on the /crm/business/transfer endpoint with unauthorized users

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /crm/business/transfer
Failed authorization logs for business transfer operations

Network Indicators:

Unusual traffic patterns to /crm/business/transfer endpoint
Requests bypassing normal authentication flows

SIEM Query:

source="web_server" AND (uri="/crm/business/transfer" AND (response_code=200 OR response_code=403))

📊 Metadata

CVE ID: CVE-2025-10988

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.06% exploit probability (19.9th percentile)

Published: September 26, 2025

Last Updated: November 14, 2025

🔗 References

https://vuldb.com/?ctiid.325911 Permissions Required,VDB Entry
https://vuldb.com/?id.325911 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.653736 Third Party Advisory,VDB Entry
https://www.cnblogs.com/aibot/p/19063563 Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10988, you might also want to check these: