CVE-2025-70997
Published: 04 February 2026
Summary
CVE-2025-70997 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Eladmin Eladmin. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).
Deeper analysis
CVE-2025-70997 is a vulnerability affecting eladmin versions 2.7 and earlier. It enables arbitrary user password resets regardless of the attacker's permission level, stemming from improper access control and incorrect authorization issues classified under CWE-863 and CWE-284. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, and limited impacts on confidentiality and integrity.
An unauthenticated remote attacker can exploit this vulnerability over the network with minimal effort. By leveraging the flaw, the attacker can reset the password of any user account, potentially gaining unauthorized access to that account and escalating privileges if targeting administrative users.
For mitigation details, refer to the advisories and resources at the eladmin GitHub repository (https://github.com/elunez/eladmin) and the related CVE issue tracker (https://github.com/fofo137/CVE/issues/1), which may include patches or workarounds for affected versions. The vulnerability was published on 2026-02-04.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206813
Vulnerability details
A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web app enables unauthenticated password reset (account manipulation) leading to unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on password-reset operations so that only permitted users can reset accounts, blocking the unauthenticated arbitrary-reset flaw.
Restricts the password-reset function to the minimum set of authorized roles, eliminating the ability for any permission level to perform the action.
Explicitly defines which actions (including password reset) may be performed without identification or authentication, preventing the vulnerable endpoint from being reachable anonymously.