CVE-2025-70141

CriticalPublic PoC

Published: 18 February 2026

Published

18 February 2026

Modified

23 February 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0058 68.9th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive…

operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments), resulting in unauthorized data modification.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly requires the AJAX dispatcher to enforce authentication and authorization before invoking sensitive administrative methods in admin_class.php based on the action parameter.

AC-6 Least Privilege good match

prevent

Ensures least privilege restricts unauthenticated attackers from performing administrative operations like creating customers, deleting users, or modifying records.

AC-24 Access Control Decisions good match

prevent

Mandates access control decision logic to authorize requests prior to dispatching action parameters to administrative functions, preventing unauthorized execution.

Security SummaryAI

CVE-2025-70141, published on 2026-02-18T17:21:35.700, is an incorrect access control vulnerability affecting SourceCodester Customer Support System 1.0. The issue resides in ajax.php, where the AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. This flaw, linked to CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted requests with specific action parameters, the attacker can perform sensitive administrative operations, including creating customers, deleting users (such as the admin account), and modifying or deleting other application records like tickets, departments, and comments, resulting in unauthorized data modification.

Mitigation details can be found in the provided references, including the SourceCodester download page at https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code and the analysis at https://youngkevinn.github.io/posts/CVE-2025-70141-Customer-Support-BAC/.

Details

CWE(s): CWE-306 CWE-862

Affected Products

oretnom23

customer support system

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an incorrect access control in a public-facing web application's AJAX endpoint, allowing unauthenticated remote attackers to invoke administrative functions for unauthorized data modification and account deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
Product · cve@mitre.org
https://youngkevinn.github.io/posts/CVE-2025-70141-Customer-Support-BAC/
Exploit, Mitigation, Third Party Advisory · cve@mitre.org