What is the CVSS score of CVE-2025-70141?

CVE-2025-70141 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of PHP are affected by CVE-2025-70141?

SourceCodester Customer Support System 1.0 contains a critical authentication bypass vulnerability that allows unauthenticated attackers to perform administrative actions including user deletion,…

Is there a public PoC exploit available for CVE-2025-70141?

Yes, a public proof-of-concept exploit is available for CVE-2025-70141. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-70141?

Within 24 hours: Isolate affected systems from production environments or restrict network access to trusted IPs only; audit recent logs for unauthorized access patterns and administrative changes. Within 7 days: Evaluate alternative customer support platforms and begin migration planning; implement Web Application Firewall rules to block ajax.php requests from untrusted sources. Within 30 days: Complete migration to patched or alternative software; conduct full data integrity audit; reset all administrative credentials and review access logs.

PHP CVE-2025-70141

CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-02-18 cve@mitre.org

PHP Customer Support System

9.4

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.4 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 23, 2026 - 15:44 vuln.today

Public exploit code

CVE Published

Feb 18, 2026 - 17:21 nvd

CRITICAL 9.4

DescriptionCVE.org

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.

AnalysisAI

Incorrect access control in SourceCodester Customer Support System 1.0 allows unauthenticated access to AJAX dispatcher, enabling full system compromise. PoC available.

Technical ContextAI

CWE-306 missing authentication on ajax.php dispatcher, which handles all business logic operations.

RemediationAI

Implement authentication checks in ajax.php before processing any operations.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-70141 vulnerability details – vuln.today

Back

PHP CVE-2025-70141

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code