diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
index 1e41777..fd101d5 100644
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysProfileController.java
@@ -23,6 +23,7 @@ import com.ruoyi.common.utils.StringUtils;
 import com.ruoyi.common.utils.file.FileUploadUtils;
 import com.ruoyi.common.utils.file.FileUtils;
 import com.ruoyi.common.utils.file.MimeTypeUtils;
+import com.ruoyi.framework.web.service.PasswordTransferCryptoService;
 import com.ruoyi.framework.web.service.TokenService;
 import com.ruoyi.system.service.ISysUserService;
 
@@ -41,6 +42,9 @@ public class SysProfileController extends BaseController
     @Autowired
     private TokenService tokenService;
 
+    @Autowired
+    private PasswordTransferCryptoService passwordTransferCryptoService;
+
     /**
      * 个人信息
      */
@@ -92,8 +96,8 @@ public class SysProfileController extends BaseController
     @PutMapping("/updatePwd")
     public AjaxResult updatePwd(@RequestBody Map<String, String> params)
     {
-        String oldPassword = params.get("oldPassword");
-        String newPassword = params.get("newPassword");
+        String oldPassword = passwordTransferCryptoService.decrypt(params.get("oldPassword"));
+        String newPassword = passwordTransferCryptoService.decrypt(params.get("newPassword"));
         LoginUser loginUser = getLoginUser();
         Long userId = loginUser.getUserId();
         SysUser user = userService.selectUserById(userId);
diff --git a/ruoyi-admin/src/test/java/com/ruoyi/web/controller/system/SysProfileControllerPasswordTransferTest.java b/ruoyi-admin/src/test/java/com/ruoyi/web/controller/system/SysProfileControllerPasswordTransferTest.java
new file mode 100644
index 0000000..aea25a4
--- /dev/null
+++ b/ruoyi-admin/src/test/java/com/ruoyi/web/controller/system/SysProfileControllerPasswordTransferTest.java
@@ -0,0 +1,72 @@
+package com.ruoyi.web.controller.system;
+
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import java.util.Collections;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import com.ruoyi.common.core.domain.entity.SysUser;
+import com.ruoyi.common.core.domain.model.LoginUser;
+import com.ruoyi.common.utils.SecurityUtils;
+import com.ruoyi.framework.web.service.PasswordTransferCryptoService;
+import com.ruoyi.framework.web.service.TokenService;
+import com.ruoyi.system.service.ISysUserService;
+
+class SysProfileControllerPasswordTransferTest
+{
+    @AfterEach
+    void tearDown()
+    {
+        SecurityContextHolder.clearContext();
+    }
+
+    @Test
+    void shouldDecryptPasswordsBeforeCheckingOldPassword() throws Exception
+    {
+        ISysUserService userService = mock(ISysUserService.class);
+        TokenService tokenService = mock(TokenService.class);
+        PasswordTransferCryptoService passwordTransferCryptoService = mock(PasswordTransferCryptoService.class);
+        when(passwordTransferCryptoService.decrypt("oldCipher")).thenReturn("oldPlain");
+        when(passwordTransferCryptoService.decrypt("newCipher")).thenReturn("newPlain");
+        when(userService.resetUserPwd(org.mockito.ArgumentMatchers.anyLong(), org.mockito.ArgumentMatchers.anyString()))
+                .thenReturn(1);
+
+        SysUser storedUser = new SysUser();
+        storedUser.setUserId(2L);
+        storedUser.setPassword(SecurityUtils.encryptPassword("oldPlain"));
+        when(userService.selectUserById(2L)).thenReturn(storedUser);
+
+        SysUser currentUser = new SysUser();
+        currentUser.setUserId(2L);
+        currentUser.setUserName("admin");
+        LoginUser loginUser = new LoginUser(2L, 1L, currentUser, Collections.emptySet());
+        SecurityContextHolder.getContext()
+                .setAuthentication(new UsernamePasswordAuthenticationToken(loginUser, null, Collections.emptyList()));
+
+        SysProfileController controller = new SysProfileController();
+        ReflectionTestUtils.setField(controller, "userService", userService);
+        ReflectionTestUtils.setField(controller, "tokenService", tokenService);
+        ReflectionTestUtils.setField(controller, "passwordTransferCryptoService", passwordTransferCryptoService);
+
+        MockMvc mockMvc = MockMvcBuilders.standaloneSetup(controller).build();
+
+        mockMvc.perform(put("/system/user/profile/updatePwd")
+                .contentType("application/json")
+                .content("{\"oldPassword\":\"oldCipher\",\"newPassword\":\"newCipher\"}"))
+                .andExpect(status().isOk());
+
+        verify(passwordTransferCryptoService).decrypt("oldCipher");
+        verify(passwordTransferCryptoService).decrypt("newCipher");
+        verify(userService).resetUserPwd(org.mockito.ArgumentMatchers.eq(2L), org.mockito.ArgumentMatchers.anyString());
+        verify(tokenService).setLoginUser(loginUser);
+    }
+}