CVE-2025-70141
Published: 18 February 2026
Summary
CVE-2025-70141 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oretnom23 Customer Support System. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires the AJAX dispatcher to enforce authentication and authorization before invoking sensitive administrative methods in admin_class.php based on the action parameter.
Ensures least privilege restricts unauthenticated attackers from performing administrative operations like creating customers, deleting users, or modifying records.
Mandates access control decision logic to authorize requests prior to dispatching action parameters to administrative functions, preventing unauthorized execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an incorrect access control in a public-facing web application's AJAX endpoint, allowing unauthenticated remote attackers to invoke administrative functions for unauthorized data modification and account deletion.
NVD Description
SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive…
more
operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.
Deeper analysisAI
CVE-2025-70141, published on 2026-02-18T17:21:35.700, is an incorrect access control vulnerability affecting SourceCodester Customer Support System 1.0. The issue resides in ajax.php, where the AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. This flaw, linked to CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted requests with specific action parameters, the attacker can perform sensitive administrative operations, including creating customers, deleting users (such as the admin account), and modifying or deleting other application records like tickets, departments, and comments, resulting in unauthorized data modification.
Mitigation details can be found in the provided references, including the SourceCodester download page at https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code and the analysis at https://youngkevinn.github.io/posts/CVE-2025-70141-Customer-Support-BAC/.
Details
- CWE(s)