Skip to main content

PHP CVE-2025-70364

| EUVDEUVD-2025-209386 HIGH
Code Injection (CWE-94)
2026-04-09 mitre GHSA-qcqx-gfxj-4j65
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:24 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
8.8 (HIGH)
EUVD ID Assigned
Apr 09, 2026 - 16:00 euvd
EUVD-2025-209386
CVE Published
Apr 09, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server.

AnalysisAI

Arbitrary PHP code execution in Kiamo customer engagement platform (pre-8.4) allows authenticated administrative users to run commands on the underlying server. The vulnerability exploits a code injection weakness (CWE-94) via network-accessible interfaces with low complexity. No public exploit identified at time of analysis, with EPSS indicating 2% (5th percentile) exploitation probability. Detailed technical write-up published by security researcher at Hackvens confirms exploitability through administrative access.

Technical ContextAI

Kiamo is a customer engagement and contact center platform. This vulnerability involves CWE-94 (Improper Control of Generation of Code / Code Injection), where authenticated administrators can inject and execute arbitrary PHP code on the server. The flaw likely resides in administrative interfaces that fail to properly sanitize or validate user-supplied input before passing it to PHP execution contexts such as eval(), include(), or dynamic function calls. The CVSS vector (AV:N/AC:L) indicates the vulnerable functionality is network-accessible with straightforward exploitation requiring no specialized attack conditions. Versions prior to 8.4 are confirmed vulnerable, suggesting the issue was addressed in the 8.4 release. The vulnerability requires low-privilege authenticated access (PR:L), though in the context of 'administrative attackers' this likely means any user with administrative role can exploit it.

RemediationAI

Upgrade Kiamo to version 8.4 or later, which addresses this code injection vulnerability. The version 8.4 release appears to be the first patched version based on the 'before 8.4' qualifier in the vulnerability description. Consult the vendor advisory at http://kiamo.com for specific upgrade instructions and compatibility considerations. Review administrative access logs for unusual activity prior to patching. As an interim mitigation, restrict administrative interface access to trusted IP ranges via firewall rules, enforce multi-factor authentication for all administrative accounts, and audit the list of users with administrative privileges to ensure least-privilege principles. Monitor for unexpected PHP process execution or file system modifications originating from the Kiamo application context.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-70364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy