Cyber Resilience

CVE-2025-70833

Critical

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0040 31.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-70833 is a critical-severity Improper Authentication (CWE-287) vulnerability in Lkw199711 Smanga. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-70833 is an authentication bypass vulnerability in Smanga version 3.2.7. It enables an unauthenticated attacker to reset the password of any user, including the administrator, and achieve full account takeover by manipulating POST parameters. The issue arises from insecure permission validation in the check-power.php component, mapped to CWEs-287 (Improper Authentication) and CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability was published on 2026-02-20 and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this remotely with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation grants high confidentiality (C:H) and integrity (I:H) impacts through account takeover, alongside low availability impact (A:L), without changing scope (S:U).

Advisory details are provided in the referenced GitHub issue at https://github.com/LX-66-LX/cve/issues/4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating POST parameters. The issue stems from insecure permission validation in check-power.php.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of a public-facing web application vulnerability enables initial access via authentication bypass and account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70831Same product: Lkw199711 Smanga
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2026-28469Shared CWE-639
CVE-2024-13111Shared CWE-287
CVE-2026-40600Shared CWE-639
CVE-2025-36365Shared CWE-639
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287

Affected Assets

lkw199711
smanga
3.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations, directly addressing the insecure permission validation in check-power.php that allowed unauthorized password resets.

prevent

SI-10 mandates validation of information inputs like manipulated POST parameters to prevent authorization bypass through user-controlled data.

prevent

IA-5 ensures secure management of authenticators such as passwords, mitigating unauthorized resets and account takeovers.

References