Cyber Resilience

CVE-2025-15423

MediumPublic PoC

Published: 02 January 2026

Published
02 January 2026
Modified
07 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 23.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15423 is a medium-severity Improper Access Control (CWE-284) vulnerability in Phome Empirecms. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-15423 is an unrestricted file upload vulnerability affecting EmpireSoft EmpireCMS versions up to 8.0. The issue resides in the CheckSaveTranFiletype function within the file e/class/connect.php, where improper access control (CWE-284) and unrestricted upload of files with dangerous type (CWE-434) allow manipulation leading to unauthorized file uploads. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-01-02.

The vulnerability can be exploited remotely by an attacker with low privileges, such as an authenticated user, requiring low complexity and no user interaction. Successful exploitation enables limited impacts on confidentiality, integrity, and availability through unrestricted file uploads, potentially allowing attackers to upload malicious files.

No vendor response or patches are available, as the supplier was contacted early about the disclosure but did not reply. Advisories from sources like VulDB document the issue, and a proof-of-concept exploit has been publicly disclosed, increasing the risk of active use. References include https://note-hxlab.wetolink.com/share/28QXRLje7Uz1 and https://vuldb.com/?ctiid.339345.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in EmpireSoft EmpireCMS up to 8.0. Impacted is the function CheckSaveTranFiletype of the file e/class/connect.php. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public…

more

and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload in public-facing CMS directly enables remote exploitation (T1190) and web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15422Same product: Phome Empirecms
CVE-2026-4220Shared CWE-284, CWE-434
CVE-2026-0547Shared CWE-284, CWE-434
CVE-2025-7755Shared CWE-284, CWE-434
CVE-2025-1598Shared CWE-284, CWE-434
CVE-2025-15404Shared CWE-284, CWE-434
CVE-2025-15503Shared CWE-284, CWE-434
CVE-2025-9476Shared CWE-284, CWE-434
CVE-2026-7733Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434

Affected Assets

phome
empirecms
≤ 8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of file content and type on all inputs to the CheckSaveTranFiletype function, directly blocking unrestricted dangerous uploads.

prevent

Enforces explicit access-control decisions on the upload operation in connect.php so that only permitted file operations succeed.

preventdetect

Requires integrity verification of uploaded files before they are saved, mitigating malicious content introduced through the vulnerable path.

References