Is there a public PoC exploit available for CVE-2025-15242?

Yes, a public proof-of-concept exploit is available for CVE-2025-15242. Prioritise patching immediately. EPSS: 0.0%.

PHPEMS CVE-2025-15242

Q: What is the CVSS score of CVE-2025-15242?

CVE-2025-15242 has a CVSS 4.0 base score of 1.3 (Low). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Race Condition (CWE-362)

2025-12-30 cna@vuldb.com

Information Disclosure Race Condition Phpems

1.3

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:45 vuln.today

DescriptionNVD

A vulnerability was detected in PHPEMS up to 11.0. The impacted element is an unknown function of the component Coupon Handler. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit is now public and may be used.

AnalysisAI

Race condition in PHPEMS Coupon Handler component up to version 11.0 allows authenticated remote attackers to manipulate coupon processing logic, potentially resulting in integrity compromise. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation despite publicly available proof-of-concept code. EPSS score of 0.04% indicates low real-world exploitation probability despite public POC availability.

Technical ContextAI

PHPEMS is an exam management system written in PHP. The vulnerability exists in the Coupon Handler component, which manages promotional code or discount voucher processing. The underlying flaw is a classic time-of-check-time-of-use (TOCTOU) race condition (CWE-362), where the component checks coupon validity or redemption status in one operation, then uses that result in a subsequent operation without maintaining atomicity. An attacker can exploit the window between validation and use by manipulating coupon state concurrently, bypassing intended restrictions or triggering unintended state transitions. The vulnerability requires network-accessible PHPEMS instances with coupon functionality enabled and affects all versions up to and including 11.0.

RemediationAI

Upgrade PHPEMS to a version newer than 11.0 if a patched release is available from the vendor. No specific patch version is confirmed in the available data. As an interim compensating control, restrict network access to the PHPEMS coupon handling endpoints to trusted internal networks only, or disable coupon functionality if it is not required for operations. Implement request rate-limiting and session-based access controls on coupon processing endpoints to increase the timing difficulty of race condition exploitation. Implement transactional database operations (if not already in place) to ensure coupon state checks and updates are atomic, preventing TOCTOU windows. Monitor coupon transaction logs for suspicious patterns such as multiple rapid requests from the same user session or unusual redemption rates that might indicate race condition attempts. Contact the PHPEMS vendor or community for confirmation of patch availability and timeline.

CVE-2025-15242 vulnerability details – vuln.today

Back