What is the CVSS score of CVE-2025-70985?

CVE-2025-70985 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Ruoyi are affected by CVE-2025-70985?

CVE-2025-70985 is a critical access control flaw in RuoYi v4.8.2 that allows attackers to modify any data in the system without authorization, potentially affecting all organizations running this…

Is there a public PoC exploit available for CVE-2025-70985?

Yes, a public proof-of-concept exploit is available for CVE-2025-70985. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-70985?

Within 24 hours: Identify all systems running RuoYi v4.8.2 and isolate them from production networks if possible; disable the update function if operationally feasible; implement network segmentation to restrict access to the application. Within 7 days: Deploy compensating controls including WAF rules to detect/block unauthorized update requests; implement strict access logging and monitoring on all data modification attempts; conduct an audit of recent data changes for signs of compromise. Within 30 days: Plan and execute migration to a patched RuoYi version or alternative solution; coordinate with vendor for patch release timeline; complete forensic analysis of any suspicious activity.

Ruoyi CVE-2025-70985

CRITICAL

Improper Access Control (CWE-284)

2026-01-23 cve@mitre.org

Authentication Bypass Ruoyi

9.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 30, 2026 - 21:27 vuln.today

Public exploit code

CVE Published

Jan 23, 2026 - 19:15 nvd

CRITICAL 9.1

DescriptionCVE.org

Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope.

AnalysisAI

RuoYi v4.8.2 has an access control flaw in the update function allowing unauthorized attackers to modify arbitrary data in the admin management system.

Technical ContextAI

RuoYi v4.8.2 has a CWE-284 incorrect access control vulnerability in the update function that allows unauthenticated or low-privileged users to modify data without proper authorization checks.

RemediationAI

Update RuoYi. Implement proper authorization checks on all update endpoints.

CVE-2025-70985 vulnerability details – vuln.today

Back

Ruoyi CVE-2025-70985

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code