Cyber Resilience

CVE-2025-9476

MediumPublic PoC

Published: 26 August 2025

Published
26 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 38.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9476 is a medium-severity Improper Access Control (CWE-284) vulnerability in Nelzkie15 Human Resource Information System. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2025-9476 is an unrestricted file upload vulnerability in SourceCodester Human Resource Information System 1.0, published on 2025-08-26. The flaw affects unknown functionality within the file /Superadmin_Dashboard/process/editemployee_process.php, where manipulation of the employee_file201 argument enables attackers to upload files without restrictions. It is associated with CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Remote attackers can exploit this vulnerability without authentication or user interaction, as indicated by its CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation requires low complexity and can lead to low-level impacts on confidentiality, integrity, and availability, potentially allowing malicious file uploads that compromise the system.

Advisories detailing the issue are available via VulDB (ctiid.321345, id.321345, submit.634757) and GitHub (lrjbsyh/CVE_Hunter issues/5 and issue-3322736605). The exploit has been publicly disclosed and may be used by attackers.

EU & UK References

Vulnerability details

A vulnerability has been found in SourceCodester Human Resource Information System 1.0. Affected by this issue is some unknown functionality of the file /Superadmin_Dashboard/process/editemployee_process.php. Such manipulation of the argument employee_file201 leads to unrestricted upload. The attack may be launched remotely.…

more

The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Unrestricted file upload vulnerability in public-facing web application (/Superadmin_Dashboard/process/editemployee_process.php) allows unauthenticated remote attackers to upload executable malicious files (e.g., PHP web shells) to a web-accessible directory, enabling exploitation of public-facing applications and deployment/execution of web shells for RCE.

CVEs Like This One

CVE-2025-9475Same product: Nelzkie15 Human Resource Information System
CVE-2024-13144Shared CWE-284, CWE-434
CVE-2025-8255Shared CWE-284, CWE-434
CVE-2025-2219Shared CWE-284, CWE-434
CVE-2025-7413Shared CWE-284, CWE-434
CVE-2025-0341Shared CWE-284, CWE-434
CVE-2026-3748Shared CWE-284, CWE-434
CVE-2026-2666Shared CWE-284, CWE-434
CVE-2026-2979Shared CWE-284, CWE-434
CVE-2026-3800Shared CWE-284, CWE-434

Affected Assets

nelzkie15
human resource information system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (including file uploads via employee_file201) to reject dangerous or unexpected content types before processing.

preventdetect

Mandates malicious-code scanning and blocking of uploaded files, preventing execution of arbitrary payloads delivered through the unrestricted upload path.

prevent

Enforces least-privilege assignment so that the editemployee_process.php functionality cannot be reached or exercised by unauthenticated remote users.

References