Cyber Resilience

CVE-2025-70985

CriticalPublic PoC

Published: 23 January 2026

Published
23 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0038 29.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70985 is a critical-severity Improper Access Control (CWE-284) vulnerability in Ruoyi Ruoyi. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-70985, published on 2026-01-23, is an incorrect access control vulnerability in the update function of RuoYi version 4.8.2. This issue, mapped to CWE-284 (Improper Access Control) and CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting its critical severity due to high impacts on confidentiality and integrity with no availability disruption.

The vulnerability enables unauthenticated remote attackers to exploit the flawed access controls in the update function, allowing them to arbitrarily modify data beyond their authorized scope. Exploitation requires low complexity and no user interaction, making it accessible to any network adversary without privileges.

Advisories and related resources, including a detailed report at https://gist.github.com/old6ma/1a2dada02656ba9a4730c85f6c765f4f, the official RuoYi repository at https://gitee.com/y_project/RuoYi, an issue discussion at https://gitee.com/y_project/RuoYi/issues/IDIDK2, and a GitHub mirror at https://github.com/yangzongzhuan/RuoYi, provide further context for mitigation and patching. Security practitioners should review these for updates specific to RuoYi v4.8.2.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of missing authorization in public-facing update function directly matches initial access via public app exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70986Same product: Ruoyi Ruoyi
CVE-2025-0734Same product: Ruoyi Ruoyi
CVE-2024-57521Same product: Ruoyi Ruoyi
CVE-2024-57436Same product: Ruoyi Ruoyi
CVE-2026-28276Shared CWE-284, CWE-862
CVE-2026-42569Shared CWE-284, CWE-862
CVE-2026-46818Shared CWE-284
CVE-2026-7198Shared CWE-284
CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862

Affected Assets

ruoyi
ruoyi
4.8.1, 4.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to information and resources, directly countering the incorrect access control allowing unauthorized data modifications in the update function.

prevent

AC-24 requires explicit access control decisions authorizing personnel or roles to specific resources, mitigating the missing authorization checks (CWE-862) in RuoYi v4.8.2's update function.

prevent

AC-6 applies least privilege to limit user or process access to only necessary data scopes, reducing the blast radius of improper access control flaws.

References