Cyber Resilience

CVE-2025-65276

Critical

Published: 26 November 2025

Published
26 November 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65276 is a critical-severity Improper Access Control (CWE-284) vulnerability in Henzljw Hashtech. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-65276, published on 2025-11-26, is an unauthenticated administrative access vulnerability in the open-source HashTech project hosted at https://github.com/henzljw/hashtech. It affects versions from 1.0 through commit 5919decaff2681dc250e934814fc3a35f6093ee5 (dated 2021-07-02). The flaw arises from missing authentication checks on the /admin_index.php endpoint, enabling direct access to the admin dashboard without valid credentials. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control).

An unauthenticated attacker with network access can exploit this vulnerability by directly requesting the /admin_index.php URL. This grants full administrative control, including the ability to view and modify user accounts, manage orders, change payment details, and edit product listings. Exploitation leads to information disclosure, data manipulation, and privilege escalation.

Advisories are available at https://gist.github.com/whoisrushi/c3bfcd1adf96d80952edbd03d0310836 for additional details.

EU & UK References

Vulnerability details

An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control…

more

including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote access to the administrative dashboard of a public-facing web application, directly enabling exploitation of public-facing applications for initial access and full administrative control.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39339Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2025-26010Shared CWE-284
CVE-2026-34291Shared CWE-284
CVE-2023-47539Shared CWE-284
CVE-2026-23899Shared CWE-284
CVE-2025-7016Shared CWE-284
CVE-2026-46822Shared CWE-284
CVE-2024-37566Shared CWE-284
CVE-2026-30689Shared CWE-284

Affected Assets

henzljw
hashtech
≤ 2021-07-02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires systems to enforce approved authorizations for logical access, directly addressing the missing authentication checks that allow unauthenticated access to /admin_index.php.

prevent

SC-14 mandates protections for security-relevant functions accessible publicly over the network, preventing unauthenticated exploitation of the admin dashboard.

prevent

AC-14 requires explicit authorization for any permitted actions without identification or authentication, ensuring administrative access is not allowed without credentials.

References