CVE-2025-15457

HighPublic PoC

Published: 05 January 2026

Published

05 January 2026

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0042 61.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability was found in bg5sbk MiniCMS up to 1.8. The impacted element is an unknown function of the file /minicms/mc-admin/post.php of the component Trash File Restore Handler. Performing a manipulation results in improper authentication. It is possible to initiate…

the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, directly preventing unauthorized remote manipulation of the trash file restore handler due to improper authentication.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires unique identification and authentication for organizational users accessing admin functions, comprehensively addressing the CWE-287 improper authentication flaw.

SI-2 Flaw Remediation good match

preventrecover

Mandates timely identification, reporting, and correction of system flaws like the unpatched improper authentication in MiniCMS /mc-admin/post.php.

Security SummaryAI

CVE-2025-15457 is an improper authentication vulnerability (CWE-287) affecting bg5sbk MiniCMS versions up to 1.8. The issue resides in an unknown function within the file /minicms/mc-admin/post.php, part of the Trash File Restore Handler component. Published on 2026-01-05, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers require no privileges or user interaction to exploit this vulnerability. Successful manipulation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized access or actions via the trash file restore functionality. An exploit has been publicly disclosed and could be actively used.

Advisories from VulDB (ctiid.339490, id.339490, submit.725139) and a GitHub issue (ueh1013/VULN/issues/12) detail the flaw, noting that the vendor was contacted early but provided no response. No patches, mitigations, or vendor fixes are referenced.

Details

CWE(s): CWE-287 NVD-CWE-noinfo

Affected Products

1234n

minicms

≤ 1.8

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-15457 is an improper authentication vulnerability in a public-facing web application (MiniCMS admin component), directly enabling remote exploitation without privileges or interaction, matching T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/ueh1013/VULN/issues/12
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.339490
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.339490
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.725139
Third Party Advisory, VDB Entry · cna@vuldb.com