Remote Code Execution Vulnerability in roncoo-pay by Roncoo
CVE-2025-10287

2.3LOW

Key Information:

Vendor

Roncoo

Status
Roncoo-pay
Vendor
CVE Published:
12 September 2025

What is CVE-2025-10287?

A security vulnerability has been identified in the roncoo-pay system, implicating the /auth/orderQuery function. This vulnerability allows an attacker to manipulate the 'orderNo' argument, potentially leading to unauthorized remote requests. The attack complexity is deemed high, making it challenging to exploit. As the product utilizes a rolling release system, details regarding specific versions affected or remediated are not provided. Despite early disclosure of the issue to the vendor, there has been no response from them regarding this security flaw.

Affected Version(s)

roncoo-pay 9428382af21cd5568319eae7429b7e1d0332ff40

References

https://vuldb.com/?id.323649
vdb-entrytechnical-description
https://vuldb.com/?ctiid.323649
signaturepermissions-required
https://vuldb.com/?submit.643387
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

aibot888 (VulDB User)
.
CVE-2025-10287 : Remote Code Execution Vulnerability in roncoo-pay by Roncoo