Cyber Resilience

CVE-2025-70141

CriticalPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0055 41.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70141 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oretnom23 Customer Support System. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-70141, published on 2026-02-18T17:21:35.700, is an incorrect access control vulnerability affecting SourceCodester Customer Support System 1.0. The issue resides in ajax.php, where the AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. This flaw, linked to CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted requests with specific action parameters, the attacker can perform sensitive administrative operations, including creating customers, deleting users (such as the admin account), and modifying or deleting other application records like tickets, departments, and comments, resulting in unauthorized data modification.

Mitigation details can be found in the provided references, including the SourceCodester download page at https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code and the analysis at https://youngkevinn.github.io/posts/CVE-2025-70141-Customer-Support-BAC/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive…

more

operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an incorrect access control in a public-facing web application's AJAX endpoint, allowing unauthenticated remote attackers to invoke administrative functions for unauthorized data modification and account deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26705Same vendor: Oretnom23
CVE-2026-26892Same vendor: Oretnom23
CVE-2025-0173Same vendor: Oretnom23
CVE-2026-26707Same vendor: Oretnom23
CVE-2026-30531Same vendor: Oretnom23
CVE-2026-30532Same vendor: Oretnom23
CVE-2026-3806Same vendor: Oretnom23
CVE-2026-3771Same vendor: Oretnom23
CVE-2026-26706Same vendor: Oretnom23
CVE-2026-30529Same vendor: Oretnom23

Affected Assets

oretnom23
customer support system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires the AJAX dispatcher to enforce authentication and authorization before invoking sensitive administrative methods in admin_class.php based on the action parameter.

prevent

Ensures least privilege restricts unauthenticated attackers from performing administrative operations like creating customers, deleting users, or modifying records.

prevent

Mandates access control decision logic to authorize requests prior to dispatching action parameters to administrative functions, preventing unauthorized execution.

References