CVE-2025-68434

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68434 is a high-severity CSRF (CWE-352) vulnerability in Opensourcepos Open Source Point Of Sale. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 mandates protections for session authenticity, such as CSRF tokens, directly preventing unauthorized state-changing POST requests from malicious web pages.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs, including CSRF tokens, to block processing of forged state-changing requests lacking valid tokens.

CM-6 Configuration Settings partial match

prevent

CM-6 ensures secure configuration settings, such as enabling the CSRF filter in app/Config/Filters.php, to mitigate vulnerabilities from explicitly disabled protections.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

The CSRF vulnerability in the web-based POS application enables unauthenticated remote exploitation of a public-facing application (T1190) to create unauthorized administrator accounts (T1136) by tricking authenticated users into visiting a malicious page that forges state-changing requests.

NVD Description

Open Source Point of Sale (opensourcepos) is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery (CSRF) vulnerability exists in the application's filter…

configuration. The CSRF protection mechanism was **explicitly disabled**, allowing the application to process state-changing requests (POST) without verifying a valid CSRF token. An unauthenticated remote attacker can exploit this by hosting a malicious web page. If a logged-in administrator visits this page, their browser is forced to send unauthorized requests to the application. A successful exploit allows the attacker to silently create a new Administrator account with full privileges, leading to a complete takeover of the system and loss of confidentiality, integrity, and availability. The vulnerability has been patched in version 3.4.2. The fix re-enables the CSRF filter in `app/Config/Filters.php` and resolves associated AJAX race conditions by adjusting token regeneration settings. As a workaround, administrators can manually re-enable the CSRF filter in `app/Config/Filters.php` by uncommenting the protection line. However, this is not recommended without applying the full patch, as it may cause functionality breakage in the Sales module due to token synchronization issues.

Deeper analysisAI

CVE-2025-68434 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Open Source Point of Sale (opensourcepos) application. This web-based point-of-sale system, written in PHP using the CodeIgniter framework, explicitly disabled its CSRF protection mechanism in the filter configuration starting from version 3.4.0 and prior to version 3.4.2. As a result, the application processes state-changing POST requests without verifying a valid CSRF token, exposing it to unauthorized actions.

An unauthenticated remote attacker can exploit this vulnerability by hosting a malicious web page. If a logged-in administrator visits the page, their browser is tricked into sending unauthorized POST requests to the opensourcepos application. A successful exploit silently creates a new Administrator account with full privileges, enabling complete system takeover and compromising confidentiality, integrity, and availability. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility and low complexity, though it requires user interaction.

The vulnerability is patched in version 3.4.2, which re-enables the CSRF filter in app/Config/Filters.php and addresses related AJAX race conditions through adjusted token regeneration settings. As a workaround, administrators can manually re-enable the CSRF filter by uncommenting the relevant line in app/Config/Filters.php, but this is not recommended without the full patch, as it may break functionality in the Sales module due to token synchronization issues. Official details are available in the GitHub security advisory (GHSA-wjm4-hfwg-5w5r), pull request #4349, and the fixing commit d575c8da9a1d7af8313a1e758e000e243f5614ef.