Cyber Posture

CVE-2025-70364

HighRCE

Published: 09 April 2026

Published
09 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70364 is a high-severity Code Injection (CWE-94) vulnerability in Kiamo (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching to Kiamo 8.4 or later, which adds PHP function restrictions to directly eliminate the code injection vulnerability.

CM-7 Least Functionality good match
prevent

Enforces least functionality by disabling or restricting unnecessary arbitrary PHP code execution capabilities intended for administrators.

SI-10 Information Input Validation good match
prevent

Mandates validation of information inputs to the administrative interface to prevent code injection (CWE-94) exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Authenticated code injection (CWE-94) directly enables arbitrary PHP/script execution on the server, mapping to Command and Scripting Interpreter.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. NOTE: the Supplier's position is that this is "a historical and intended administrative feature of the product, accessible only to…

more

already authenticated users explicitly granted administrator privileges." However, restrictions on some PHP functions were added in 8.4.

Deeper analysisAI

CVE-2025-70364 is a code injection vulnerability (CWE-94) in Kiamo versions prior to 8.4. The flaw enables authenticated administrative attackers to execute arbitrary PHP code on the server, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers require existing administrative privileges and authentication to exploit the vulnerability remotely over the network with low complexity and no user interaction. Exploitation allows full control over the server through arbitrary PHP code execution, potentially leading to complete compromise including data theft, modification, or disruption.

The supplier maintains that this is a historical and intended administrative feature accessible only to explicitly privileged users, but Kiamo 8.4 adds restrictions on certain PHP functions to mitigate it. Security practitioners should upgrade to version 8.4 or later. Relevant advisories are available at http://kiamo.com and https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md.

Details

CWE(s)
CWE-94

Affected Products

Kiamo
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-22906Shared CWE-94
CVE-2025-71281Shared CWE-94
CVE-2024-9132Shared CWE-94
CVE-2024-50658Shared CWE-94
CVE-2025-0161Shared CWE-94
CVE-2026-34060Shared CWE-94
CVE-2026-32525Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2025-70830Shared CWE-94
CVE-2024-55028Shared CWE-94

References