CVE-2025-15405
Cross-Site Request Forgery in PHPEMS Allows Remote Attack
Publication date: 2026-01-01
Last updated on: 2026-01-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | phpems | to 11.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15405 is a Cross-Site Request Forgery (CSRF) vulnerability in PHPEMS versions up to 11.0. It allows an attacker to trick an authenticated user into unknowingly submitting forged requests that perform sensitive actions, such as modifying system configurations like allowed file name extensions. This happens because the application lacks proper CSRF protection mechanisms, such as CSRF tokens, allowing attackers to exploit the victim's valid session remotely without further interaction. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized changes in the system, such as adding dangerous file extensions (e.g., 'phar'), which can bypass file upload restrictions. This enables attackers to upload malicious executable files, potentially resulting in server-side code execution, data theft, server takeover, and disruption of normal system operations. Sensitive data like user information and exam data may be exposed, and the overall security of the system's file upload mechanism can be compromised. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-15405 involves monitoring for unauthorized or unexpected HTTP requests that modify sensitive settings such as allowed file extensions in PHPEMS. Since the vulnerability is a CSRF attack exploiting missing CSRF tokens, you can detect suspicious POST requests to endpoints responsible for configuration changes, especially those lacking CSRF tokens or originating from unexpected Referer or Origin headers. Using tools like Burp Suite to intercept and analyze HTTP traffic can help identify such requests. Commands to monitor web server logs for suspicious POST requests or unusual changes to configuration files may include: 1) Using grep to find POST requests modifying file extensions in access logs, e.g., `grep -i 'POST' /var/log/apache2/access.log | grep 'file_extension'` 2) Using network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and filter for suspicious requests. 3) Employing web application firewalls (WAF) logs to detect CSRF attack patterns. However, no specific detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2025-15405 include: 1) Implement CSRF token verification by generating unique, random tokens stored in user sessions and validated on the server for all sensitive operations, including file extension modifications. 2) Strengthen permission controls by restricting file extension modification rights to high-privilege backend administrators only, and add secondary authentication like password verification for sensitive changes. 3) Enforce server-side validation with a hard-coded whitelist of safe file extensions for uploads, ignoring user-modifiable configurations for critical security checks. 4) Check the Referer or Origin HTTP headers to ensure requests originate from the official PHPEMS domain as an auxiliary defense against cross-domain CSRF. 5) Disable execution permissions for uploaded files by storing them in non-parsed directories and prohibiting execution of PHAR/PHP files in upload locations. Additionally, consider replacing the affected PHPEMS version with a patched or alternative solution if available, as no public exploit or detailed mitigations currently exist. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform unauthorized actions such as modifying system configurations and uploading malicious files, potentially leading to data theft and system compromise. This can result in unauthorized access to sensitive user information and exam data, which may violate data protection requirements under standards like GDPR and HIPAA. Therefore, the vulnerability poses a risk to compliance with these regulations by undermining data integrity and confidentiality. [1, 3]