CVE-2026-5031 is a vulnerability identified in the BichitroGan ISP Billing Software, specifically version 2025.3.20. The issue resides in an endpoint accessed via the URI /?_route=settings/users-view/, where the argument 'ID' is improperly controlled. This improper control of resource identifiers (likely an Insecure Direct Object Reference or IDOR) allows an attacker to manipulate the ID parameter to access or modify resources that should be restricted. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 5.3, indicating a medium severity level, with the vector showing network attack vector, low attack complexity, no privileges required, no user interaction, and low impact on confidentiality. The vendor was notified early but has not responded or issued a patch, and the exploit details have been publicly disclosed, raising the risk of exploitation. The vulnerability could allow unauthorized access to sensitive user or billing data, potentially leading to data leakage or unauthorized changes in ISP billing records. The lack of vendor response and patch availability means organizations must rely on alternative mitigations until an official fix is released.

The primary impact of CVE-2026-5031 is unauthorized access or modification of sensitive user and billing information within ISP billing systems. This can compromise confidentiality by exposing customer data and integrity by allowing unauthorized changes to billing records. Such breaches can lead to financial fraud, customer trust erosion, regulatory non-compliance, and operational disruptions for ISPs. Since the vulnerability is remotely exploitable without authentication, attackers can launch attacks at scale, potentially affecting many customers. The absence of a vendor patch increases the window of exposure, making organizations vulnerable to exploitation once the exploit is widely used. The impact is particularly critical for ISPs that rely heavily on this software for billing and user management, as it could disrupt billing accuracy and customer service.

Given the absence of an official patch, organizations should implement the following mitigations: 1) Restrict network access to the vulnerable endpoint by implementing strict firewall rules or network segmentation to limit exposure to trusted IPs only. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious manipulation of the ID parameter in requests to the /?_route=settings/users-view/ endpoint. 3) Conduct thorough access control audits and enforce least privilege principles within the application to minimize the impact of unauthorized access. 4) Monitor logs for anomalous access patterns or repeated attempts to manipulate resource identifiers. 5) If feasible, temporarily disable or restrict the vulnerable functionality until a vendor patch is available. 6) Engage with the vendor persistently for patch release and consider alternative ISP billing solutions if the vendor remains unresponsive. 7) Educate security teams about this vulnerability and prepare incident response plans in case exploitation is detected.