Cyber Resilience

CVE-2025-15405

MediumPublic PoC

Published: 01 January 2026

Published
01 January 2026
Modified
13 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0021 11.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15405 is a medium-severity CSRF (CWE-352) vulnerability in Phpems Phpems. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 11.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).

Deeper analysis

CVE-2025-15405 is a cross-site request forgery (CSRF) vulnerability in PHPEMS versions up to 11.0. The flaw affects an unknown function, enabling remote manipulation that leads to CSRF attacks. It is associated with CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization), and carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), indicating medium severity with low integrity impact.

Remote attackers can exploit this vulnerability without requiring privileges by crafting malicious requests that trick authenticated users into performing unintended actions on the PHPEMS application. Exploitation requires user interaction, such as clicking a malicious link, but has low attack complexity and can occur over the network.

Advisories and a proof-of-concept are documented in references including VulDB entries (ctiid.339325, id.339325, submit.728314) and a blog post at byebydoggy.github.io/post/2025/1231-phpems-csrf-poc/. The vulnerability was published on 2026-01-01T15:15:40.777.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF requires user interaction via malicious link to trigger forged requests on authenticated session.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41347Shared CWE-352
CVE-2026-39671Shared CWE-352
CVE-2025-28856Shared CWE-352
CVE-2025-28867Shared CWE-352
CVE-2025-25769Shared CWE-352
CVE-2024-57373Shared CWE-352
CVE-2026-3770Shared CWE-352, CWE-862
CVE-2024-55924Shared CWE-352
CVE-2025-70031Shared CWE-352
CVE-2025-23902Shared CWE-352

Affected Assets

phpems
phpems
≤ 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on every request, blocking the unauthorized state-changing actions that define this CSRF flaw.

prevent

Requires cryptographic or token-based session binding that would invalidate forged cross-site requests targeting PHPEMS.

prevent

Forces re-authentication before sensitive actions, defeating CSRF exploits that rely on an existing authenticated session.

References