CVE-2025-65276
Published: 26 November 2025
Summary
CVE-2025-65276 is a critical-severity Improper Access Control (CWE-284) vulnerability in Henzljw Hashtech. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-65276, published on 2025-11-26, is an unauthenticated administrative access vulnerability in the open-source HashTech project hosted at https://github.com/henzljw/hashtech. It affects versions from 1.0 through commit 5919decaff2681dc250e934814fc3a35f6093ee5 (dated 2021-07-02). The flaw arises from missing authentication checks on the /admin_index.php endpoint, enabling direct access to the admin dashboard without valid credentials. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control).
An unauthenticated attacker with network access can exploit this vulnerability by directly requesting the /admin_index.php URL. This grants full administrative control, including the ability to view and modify user accounts, manage orders, change payment details, and edit product listings. Exploitation leads to information disclosure, data manipulation, and privilege escalation.
Advisories are available at https://gist.github.com/whoisrushi/c3bfcd1adf96d80952edbd03d0310836 for additional details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-199763
Vulnerability details
An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control…
more
including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote access to the administrative dashboard of a public-facing web application, directly enabling exploitation of public-facing applications for initial access and full administrative control.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires systems to enforce approved authorizations for logical access, directly addressing the missing authentication checks that allow unauthenticated access to /admin_index.php.
SC-14 mandates protections for security-relevant functions accessible publicly over the network, preventing unauthenticated exploitation of the admin dashboard.
AC-14 requires explicit authorization for any permitted actions without identification or authentication, ensuring administrative access is not allowed without credentials.