CVE-2025-15120 – This CVE describes an improper authorization vu... (How to Fix)

Q: What is the severity of CVE-2025-15120?

CVE-2025-15120 has a CVSS score of 3.1 (LOW). This CVE describes an improper authorization vulnerability in JeecgBoot's getDeptRoleList function. Attackers can manipulate the departId parameter to potentially access unauthorized department role information. Organizations using JeecgBoot up to version 3.9.0 are affected.

📋 TL;DR

This CVE describes an improper authorization vulnerability in JeecgBoot's getDeptRoleList function. Attackers can manipulate the departId parameter to potentially access unauthorized department role information. Organizations using JeecgBoot up to version 3.9.0 are affected.

💻 Affected Systems

Products:

JeecgBoot

Versions: Up to and including 3.9.0

Operating Systems: All platforms running JeecgBoot

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of affected JeecgBoot versions are vulnerable by default.

📦 What is this software?

Jeecg Boot by Jeecg

View all CVEs affecting Jeecg Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could enumerate department roles and potentially escalate privileges to access sensitive administrative functions or data.

🟠

Likely Case

Information disclosure of department role structures, potentially enabling reconnaissance for further attacks.

🟢

If Mitigated

Minimal impact with proper authorization controls and network segmentation in place.

🌐 Internet-Facing: MEDIUM - Attack is possible remotely but requires high complexity and specific knowledge of the application.

🏢 Internal Only: MEDIUM - Internal attackers with some application knowledge could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploit has been published but requires understanding of JeecgBoot's authorization mechanisms and department structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: Yes

Instructions:

1. Monitor JeecgBoot GitHub repository for security updates. 2. Upgrade to version 3.9.1 or higher when available. 3. Restart application services after upgrade.

🔧 Temporary Workarounds

Implement API Authorization Middleware

all

Add custom authorization checks before the getDeptRoleList function executes

# Requires code modification - implement authorization logic in controller layer

Restrict Access to /sys/sysDepartRole/ Endpoints

linux

Use web application firewall or reverse proxy to restrict access to vulnerable endpoints

# Example nginx location block:
location /sys/sysDepartRole/ {
    deny all;
    # Or restrict to specific IP ranges
}

🧯 If You Can't Patch

Implement strict network segmentation to isolate JeecgBoot instances from untrusted networks
Deploy web application firewall with custom rules to detect and block manipulation of departId parameter

🔍 How to Verify

Check if Vulnerable:

Check JeecgBoot version in application properties or via admin interface. If version is 3.9.0 or lower, system is vulnerable.

Check Version:

Check jeecg-boot/jeecg-boot-parent/pom.xml for version tag or examine application startup logs

Verify Fix Applied:

Test the /sys/sysDepartRole/getDeptRoleList endpoint with manipulated departId parameters to verify proper authorization checks.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /sys/sysDepartRole/getDeptRoleList
Multiple failed authorization attempts with different departId values
Requests with suspicious departId parameters outside expected ranges

Network Indicators:

HTTP requests to vulnerable endpoint with manipulated query parameters
Unusual traffic patterns to administrative API endpoints

SIEM Query:

source="jeecgboot-logs" AND uri="/sys/sysDepartRole/getDeptRoleList" AND (departId NOT IN expected_values OR departId contains special_chars)

📊 Metadata

CVE ID: CVE-2025-15120

CVSS v3 Score: 3.1 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.03% exploit probability (8.2th percentile)

Published: December 28, 2025

Last Updated: December 30, 2025

🔗 References

https://github.com/Hwwg/cve/issues/33 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338498 Permissions Required,VDB Entry
https://vuldb.com/?id.338498 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.711772 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15120, you might also want to check these: