Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was found in BichitroGan ISP Billing Software 2025.3.20. Impacted is an unknown function of the file /?_route=settings/users-view/ of the component Endpoint. The manipulation of the argument ID results in improper control of resource identifiers. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
BichitroGan ISP Billing Software 2025.3.20 contains an improper resource identifier control vulnerability in the settings/users-view endpoint that allows authenticated remote attackers to disclose sensitive information via manipulation of the ID parameter. The vulnerability has a CVSS score of 4.3 with publicly available exploit code; the vendor has not responded to disclosure attempts.
Technical ContextAI
The vulnerability stems from CWE-99 (Improper Control of Resource Identifiers), a class of flaws where an application fails to properly validate or restrict access to resources based on user-supplied identifiers. In this case, the settings/users-view endpoint in BichitroGan ISP Billing Software accepts an ID parameter without adequate authorization checks, allowing an authenticated user to access or enumerate user information they should not have access to. The affected product is BichitroGan ISP Billing Software (CPE: cpe:2.3:a:bichitrogan:isp_billing_software), and the issue manifests in the web-facing component handling user management views, which typically requires knowledge of valid user identifiers to exploit but does not verify that the requestor has legitimate access to that specific user record.
RemediationAI
Contact BichitroGan for a patched version of ISP Billing Software addressing CWE-99 resource identifier validation. Until a vendor patch is available, implement access controls to restrict the settings/users-view endpoint to authorized administrators only, and review access logs for suspicious ID parameter manipulation attempts. Upgrade to the latest available version once released by the vendor. If the vendor remains unresponsive, consider implementing a web application firewall rule to block requests to /?_route=settings/users-view/ with suspicious or out-of-range ID parameters. Additional details and the public exploit are documented at https://github.com/4m3rr0r/PoCVulDb/issues/15 and https://vuldb.com/vuln/353953.
More in Isp Billing Software
View allStored cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated high-privilege user
Cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated high-privilege users to in
Stored cross-site scripting (XSS) in BichitroGan ISP Billing Software 2025.3.20 allows authenticated remote attackers wi
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16973