CVE-2025-65276
Published: 26 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-65276, published on 2025-11-26, is an unauthenticated administrative access vulnerability in the open-source HashTech project hosted at https://github.com/henzljw/hashtech. It affects versions from 1.0 through commit 5919decaff2681dc250e934814fc3a35f6093ee5 (dated 2021-07-02). The flaw arises from missing authentication checks on the /admin_index.php endpoint, enabling direct access to the admin dashboard without valid credentials. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control).
An unauthenticated attacker with network access can exploit this vulnerability by directly requesting the /admin_index.php URL. This grants full administrative control, including the ability to view and modify user accounts, manage orders, change payment details, and edit product listings. Exploitation leads to information disclosure, data manipulation, and privilege escalation.
Advisories are available at https://gist.github.com/whoisrushi/c3bfcd1adf96d80952edbd03d0310836 for additional details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows unauthenticated remote access to the administrative dashboard of a public-facing web application, directly enabling exploitation of public-facing applications for initial access and full administrative control.