CVE-2025-70073
Published: 05 February 2026
Summary
CVE-2025-70073 is a high-severity Code Injection (CWE-94) vulnerability in 1000Mz Chestnutcms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-70073 is a code injection vulnerability (CWE-94) in ChestnutCMS versions 1.5.8 and earlier. The flaw exists in the template creation function, enabling a remote attacker to execute arbitrary code. Published on 2026-02-05, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.
Exploitation requires high privileges, such as administrative access, allowing a remote attacker to target the system with low complexity and no user interaction. Upon success, the attacker can execute arbitrary code, achieving high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.
Mitigation details are available in the referenced GitHub issue at https://github.com/liweiyi/ChestnutCMS/issues/8.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206857
Vulnerability details
An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection in web app template function enables remote code execution on public-facing CMS (T1190) and direct deployment of persistent web shell (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates all inputs to the template creation function, directly blocking the code injection that enables arbitrary execution.
Disables or restricts the template creation capability to only approved, non-executable functions, eliminating the attack vector.
Limits administrative accounts permitted to use the template function, reducing the number of high-privilege users who can trigger the flaw.