CVE-2025-70758
Unknown Unknown - Not Provided
Authentication Bypass in core-php-admin-panel via Missing exit() Call

Publication date: 2026-02-03

Last updated on: 2026-02-11

Assigner: MITRE

Description
chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-70758
EUVD
EUVD-2025-206699
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chetans9 core-php-admin-panel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves an authentication bypass due to missing exit() after an HTTP redirect in the PHP file includes/auth_validate.php. To detect this on your system, you can inspect the source code of includes/auth_validate.php for the presence of header("Location:login.php") without a subsequent exit() or die() call.'}, {'type': 'paragraph', 'content': 'Additionally, you can monitor HTTP traffic to see if unauthenticated requests are able to access protected pages that should require authentication.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability include:'}, {'type': 'list_item', 'content': 'Use grep to check the PHP file for the redirect without exit():\n grep -A 3 \'header("Location:login.php")\' includes/auth_validate.php'}, {'type': 'list_item', 'content': 'Use curl or wget to test access to protected pages without authentication:\n curl -I http://yourserver/protected_page.php'}, {'type': 'list_item', 'content': 'Check web server logs for unauthorized access attempts that succeeded.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this authentication bypass vulnerability, immediately update the includes/auth_validate.php file to ensure that after sending the HTTP redirect header (header("Location:login.php")), the script calls exit() or die() to stop further execution.'}, {'type': 'paragraph', 'content': 'This prevents unauthorized users from accessing protected pages after the redirect.'}, {'type': 'paragraph', 'content': 'If a patch or updated version of the core-php-admin-panel is available from the maintainer, apply it as soon as possible.'}, {'type': 'paragraph', 'content': 'In the meantime, restrict access to the application via network controls or web server configuration to trusted IPs if feasible.'}] [1]

Executive Summary

The vulnerability exists in the chetans9 core-php-admin-panel application, specifically in the includes/auth_validate.php file. When a user is not authenticated, the application sends an HTTP redirect header to login.php but fails to call exit() immediately afterward. This omission allows remote unauthenticated attackers to bypass authentication and access protected pages.

Impact Analysis

This vulnerability can allow unauthorized users to access protected areas of the application without proper authentication. As a result, attackers may gain access to sensitive information such as the customer database or other restricted data, potentially leading to data breaches or unauthorized actions within the admin panel.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-70758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart