CVE-2025-70985

CriticalPublic PoC

Published: 23 January 2026

Published

23 January 2026

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0002 5.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70985 is a critical-severity Improper Access Control (CWE-284) vulnerability in Ruoyi Ruoyi. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for access to information and resources, directly countering the incorrect access control allowing unauthorized data modifications in the update function.

AC-24 Access Control Decisions good match

prevent

AC-24 requires explicit access control decisions authorizing personnel or roles to specific resources, mitigating the missing authorization checks (CWE-862) in RuoYi v4.8.2's update function.

AC-6 Least Privilege partial match

prevent

AC-6 applies least privilege to limit user or process access to only necessary data scopes, reducing the blast radius of improper access control flaws.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of missing authorization in public-facing update function directly matches initial access via public app exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.

Deeper analysisAI

CVE-2025-70985, published on 2026-01-23, is an incorrect access control vulnerability in the update function of RuoYi version 4.8.2. This issue, mapped to CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting its critical severity due to high impacts on confidentiality and integrity with no availability disruption.

The vulnerability enables unauthenticated remote attackers to exploit the flawed access controls in the update function, allowing them to arbitrarily modify data beyond their authorized scope. Exploitation requires low complexity and no user interaction, making it accessible to any network adversary without privileges.

Advisories and related resources, including a detailed report at https://gist.github.com/old6ma/1a2dada02656ba9a4730c85f6c765f4f, the official RuoYi repository at https://gitee.com/y_project/RuoYi, an issue discussion at https://gitee.com/y_project/RuoYi/issues/IDIDK2, and a GitHub mirror at https://github.com/yangzongzhuan/RuoYi, provide further context for mitigation and patching. Security practitioners should review these for updates specific to RuoYi v4.8.2.