CVE-2025-70150

CriticalPublic PoC

Published: 18 February 2026

Published

18 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0048 65.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70150 is a critical-severity Missing Authorization (CWE-862) vulnerability in Codeastro Membership Management System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Explicitly defines and authorizes only specific actions without identification or authentication, preventing delete operations like those in delete_members.php from being accessible to unauthenticated attackers.

AC-3 Access Enforcement good match

prevent

Enforces approved access control policies to block unauthenticated access to sensitive operations such as deleting member records via the id parameter.

AC-6 Least Privilege good match

prevent

Applies least privilege to ensure delete functions require appropriate authorization, mitigating unauthorized deletions by unauthenticated users.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Unauthenticated attackers can exploit the public-facing web application (T1190) to delete arbitrary member records, enabling data destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.

Deeper analysisAI

CVE-2025-70150 is a missing authentication vulnerability (CWE-862) in the CodeAstro Membership Management System version 1.0, specifically affecting the delete_members.php component. This flaw enables unauthenticated attackers to delete arbitrary member records by supplying an id parameter. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

Unauthenticated remote attackers can exploit this vulnerability by directly accessing the delete_members.php endpoint with a manipulated id parameter, resulting in the permanent deletion of any member record in the system. Successful exploitation disrupts data integrity and availability, potentially allowing attackers to sabotage membership databases without detection or authorization.

Advisories and additional details on the vulnerability are documented in references including the product page at https://www.phpscriptsonline.com/product/membership-management-software and analysis at https://youngkevinn.github.io/posts/CVE-2025-70150-Membership-Unauth-Delete/. The CVE was published on 2026-02-18T18:24:20.040.