CVE-2025-9476
Published: 26 August 2025
Summary
CVE-2025-9476 is a medium-severity Improper Access Control (CWE-284) vulnerability in Nelzkie15 Human Resource Information System. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2025-9476 is an unrestricted file upload vulnerability in SourceCodester Human Resource Information System 1.0, published on 2025-08-26. The flaw affects unknown functionality within the file /Superadmin_Dashboard/process/editemployee_process.php, where manipulation of the employee_file201 argument enables attackers to upload files without restrictions. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
Remote attackers can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation requires low complexity and can lead to low-level impacts on confidentiality, integrity, and availability, potentially allowing malicious file uploads that compromise the system.
Advisories detailing the issue are available via VulDB (ctiid.321345, id.321345, submit.634757) and GitHub (lrjbsyh/CVE_Hunter issues/5 and issue-3322736605). The exploit has been publicly disclosed and may be used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25831
Vulnerability details
A vulnerability has been found in SourceCodester Human Resource Information System 1.0. Affected by this issue is some unknown functionality of the file /Superadmin_Dashboard/process/editemployee_process.php. Such manipulation of the argument employee_file201 leads to unrestricted upload. The attack may be launched remotely.…
more
The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload vulnerability in public-facing web application (/Superadmin_Dashboard/process/editemployee_process.php) allows unauthenticated remote attackers to upload executable malicious files (e.g., PHP web shells) to a web-accessible directory, enabling exploitation of public-facing applications and deployment/execution of web shells for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including file uploads via employee_file201) to reject dangerous or unexpected content types before processing.
Mandates malicious-code scanning and blocking of uploaded files, preventing execution of arbitrary payloads delivered through the unrestricted upload path.
Enforces least-privilege assignment so that the editemployee_process.php functionality cannot be reached or exercised by unauthenticated remote users.