What is the CVSS score of CVE-2025-70364?

CVE-2025-70364 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2025-70364?

CVE-2025-70364 affects Kiamo customer engagement platform versions prior to 8.4, enabling authenticated administrators to execute arbitrary PHP code and commands on servers hosting the platform.

How to fix or mitigate CVE-2025-70364?

Within 24 hours: Audit all administrative accounts in Kiamo and revoke unnecessary access; document current platform version across all instances. Within 7 days: Upgrade Kiamo to version 8.4 or later where patch is available; test in non-production environment first. Within 30 days: Complete production deployment of patched version; conduct post-incident review of administrative access controls and implement principle of least privilege for administrative roles.

PHP CVE-2025-70364

EUVD-2025-209386 HIGH

Code Injection (CWE-94)

2026-04-09 mitre

GHSA-qcqx-gfxj-4j65

PHP RCE Code Injection

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Apr 14, 2026 - 17:24 vuln.today

CVSS changed

Apr 14, 2026 - 17:22 NVD

8.8 (HIGH)

EUVD ID Assigned

Apr 09, 2026 - 16:00 euvd

EUVD-2025-209386

CVE Published

Apr 09, 2026 - 00:00 nvd

N/A

DescriptionNVD

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server.

AnalysisAI

Arbitrary PHP code execution in Kiamo customer engagement platform (pre-8.4) allows authenticated administrative users to run commands on the underlying server. The vulnerability exploits a code injection weakness (CWE-94) via network-accessible interfaces with low complexity. No public exploit identified at time of analysis, with EPSS indicating 2% (5th percentile) exploitation probability. Detailed technical write-up published by security researcher at Hackvens confirms exploitability through administrative access.

Technical ContextAI

Kiamo is a customer engagement and contact center platform. This vulnerability involves CWE-94 (Improper Control of Generation of Code / Code Injection), where authenticated administrators can inject and execute arbitrary PHP code on the server. The flaw likely resides in administrative interfaces that fail to properly sanitize or validate user-supplied input before passing it to PHP execution contexts such as eval(), include(), or dynamic function calls. The CVSS vector (AV:N/AC:L) indicates the vulnerable functionality is network-accessible with straightforward exploitation requiring no specialized attack conditions. Versions prior to 8.4 are confirmed vulnerable, suggesting the issue was addressed in the 8.4 release. The vulnerability requires low-privilege authenticated access (PR:L), though in the context of 'administrative attackers' this likely means any user with administrative role can exploit it.

RemediationAI

Upgrade Kiamo to version 8.4 or later, which addresses this code injection vulnerability. The version 8.4 release appears to be the first patched version based on the 'before 8.4' qualifier in the vulnerability description. Consult the vendor advisory at http://kiamo.com for specific upgrade instructions and compatibility considerations. Review administrative access logs for unusual activity prior to patching. As an interim mitigation, restrict administrative interface access to trusted IP ranges via firewall rules, enforce multi-factor authentication for all administrative accounts, and audit the list of users with administrative privileges to ensure least-privilege principles. Monitor for unexpected PHP process execution or file system modifications originating from the Kiamo application context.

CVE-2025-70364 vulnerability details – vuln.today

Back

PHP CVE-2025-70364

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code