Login Sign Up

CVE-2025-28408

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

A privilege escalation vulnerability in RUoYi v.4.8.0 allows remote attackers to gain elevated privileges by exploiting improper validation of the deptId parameter in the selectDeptTree method. This affects all systems running the vulnerable version of RUoYi, potentially enabling attackers to compromise administrative functions.

💻 Affected Systems

Products:
  • RUoYi
Versions: v.4.8.0
Operating Systems: All platforms running RUoYi
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects RUoYi version 4.8.0; other versions may be unaffected.

📦 What is this software?

Ruoyi by Ruoyi

View all CVEs affecting Ruoyi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with administrative privileges, allowing data exfiltration, system modification, and lateral movement within the network.

🟠

Likely Case

Unauthorized privilege escalation leading to unauthorized access to sensitive administrative functions and data.

🟢

If Mitigated

Limited impact with proper input validation and access controls in place, potentially preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some level of access but is straightforward once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v.4.8.1 or later

Vendor Advisory: https://github.com/yangzongzhuan/RuoYi

Restart Required: Yes

Instructions:

1. Backup current installation. 2. Update to RUoYi v.4.8.1 or later from the official repository. 3. Restart the application server. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation for the deptId parameter to prevent malicious values.

Modify selectDeptTree method to validate deptId against allowed values

Access Control Restriction

all

Restrict access to the /selectDeptTree/{deptId} endpoint to authorized users only.

Configure application firewall rules to limit endpoint access

🧯 If You Can't Patch

  • Implement network segmentation to isolate RUoYi systems from critical infrastructure
  • Deploy web application firewall (WAF) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check RUoYi version in application configuration or via version endpoint; if version is 4.8.0, system is vulnerable.

Check Version:

Check application configuration file or use version API endpoint if available.

Verify Fix Applied:

After patching, verify version is 4.8.1 or later and test the selectDeptTree endpoint with malicious inputs to ensure proper validation.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to /selectDeptTree endpoint
  • Multiple failed privilege escalation attempts
  • Suspicious deptId parameter values

Network Indicators:

  • HTTP requests to /selectDeptTree/{deptId} with unusual parameter values
  • Traffic spikes to administrative endpoints

SIEM Query:

source="ruoyi_logs" AND (uri="/selectDeptTree" OR deptId="*malicious*")

📊 Metadata

CVE ID: CVE-2025-28408
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
EPSS Score: 0.98% exploit probability (76.3th percentile)
Published: April 7, 2025
Last Updated: April 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28408, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)