CVE-2025-70833
Published: 20 February 2026
Summary
CVE-2025-70833 is a critical-severity Improper Authentication (CWE-287) vulnerability in Lkw199711 Smanga. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-70833 is an authentication bypass vulnerability in Smanga version 3.2.7. It enables an unauthenticated attacker to reset the password of any user, including the administrator, and achieve full account takeover by manipulating POST parameters. The issue arises from insecure permission validation in the check-power.php component, mapped to CWEs-287 (Improper Authentication) and CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability was published on 2026-02-20 and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
An unauthenticated attacker (PR:N) with network access (AV:N) can exploit this remotely with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation grants high confidentiality (C:H) and integrity (I:H) impacts through account takeover, alongside low availability impact (A:L), without changing scope (S:U).
Advisory details are provided in the referenced GitHub issue at https://github.com/LX-66-LX/cve/issues/4.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207632
Vulnerability details
An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating POST parameters. The issue stems from insecure permission validation in check-power.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing web application vulnerability enables initial access via authentication bypass and account takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations, directly addressing the insecure permission validation in check-power.php that allowed unauthorized password resets.
SI-10 mandates validation of information inputs like manipulated POST parameters to prevent authorization bypass through user-controlled data.
IA-5 ensures secure management of authenticators such as passwords, mitigating unauthorized resets and account takeovers.