Cyber Resilience

CVE-2025-15582

MediumPublic PoC

Published: 20 February 2026

Published
20 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15582 is a medium-severity Improper Authorization (CWE-285) vulnerability in Detronetdip E-Commerce. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-15582 is an authorization bypass vulnerability in detronetdip E-commerce version 1.0.0. The issue affects the Delete/Update functions in the Product Management Module, where manipulation of the ID argument allows unauthorized access. This flaw maps to CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key), earning a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).

Remote exploitation is possible by low-privileged authenticated users (PR:L) over the network, with low complexity and no user interaction required. Attackers can bypass authorization controls to delete or update products, resulting in low integrity (I:L) and availability (A:L) impacts, but no confidentiality loss.

References indicate the project was informed early via GitHub issue #23 (https://github.com/detronetdip/E-commerce/issues/23) but has not responded, with no patches available. An exploit is publicly released at https://github.com/Nixon-H/Ecommerce-IDOR-Product-Manipulation, and details are documented on VulDB (https://vuldb.com/?ctiid.346486, https://vuldb.com/?id.346486).

The public exploit availability heightens the risk of attacks on affected deployments of detronetdip E-commerce 1.0.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is…

more

possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass (IDOR) in public-facing e-commerce web app directly enables remote exploitation of the application by authenticated users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2165Same product: Detronetdip E-Commerce
CVE-2026-2164Same product: Detronetdip E-Commerce
CVE-2024-13694Shared CWE-285, CWE-639
CVE-2026-5842Shared CWE-285, CWE-639
CVE-2025-64523Shared CWE-285, CWE-639
CVE-2026-28469Shared CWE-639
CVE-2026-40600Shared CWE-639
CVE-2025-36365Shared CWE-639
CVE-2025-9062Shared CWE-639
CVE-2025-69347Shared CWE-639

Affected Assets

detronetdip
e-commerce
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the ID parameter before allowing Delete/Update operations in the Product Management Module, blocking the exact bypass described.

prevent

Restricts each authenticated user to only the minimal product-management privileges needed, reducing the impact surface of an ID manipulation attack.

prevent

Validates that supplied ID values correspond to objects the current user is authorized to modify, mitigating the CWE-639 user-controlled key flaw.

References