Is there a public PoC exploit available for CVE-2025-7947?

Yes, a public proof-of-concept exploit is available for CVE-2025-7947. Prioritise patching immediately. EPSS: 0.1%.

jshERP CVE-2025-7947

Q: What is the CVSS score of CVE-2025-7947?

CVE-2025-7947 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Incorrect Privilege Assignment (CWE-266)

2025-07-22 cna@vuldb.com

Information Disclosure Jsherp

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:46 vuln.today

DescriptionCVE.org

A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

Improper authorization in jshERP up to version 3.5 allows authenticated remote attackers to modify or delete user accounts via manipulation of the ID parameter in the /user/delete endpoint, potentially resulting in unauthorized account manipulation and information disclosure. Publicly available exploit code exists for this vulnerability.

Technical ContextAI

jshERP is an enterprise resource planning system with a web-based interface. The vulnerability exists in the Account Handler component that processes user deletion requests via the /user/delete endpoint. The root cause is classified as CWE-266 (Improper Privilege Management), indicating that the application fails to properly verify whether the authenticated user has authorization to delete the specific user account identified by the ID parameter. The vulnerability allows an authenticated attacker to bypass account ownership or privilege checks by directly manipulating the ID argument, suggesting insufficient input validation and authorization controls in the account management logic.

RemediationAI

Upgrade jshERP to version 3.6 or later, which should include authorization checks in the account deletion logic. As an interim compensating control, restrict access to the /user/delete endpoint to administrative users only via network controls or reverse proxy rules, and implement audit logging for all account deletion requests to detect unauthorized attempts. Additionally, validate that the ID parameter in deletion requests matches the authenticated user's own account or is performed by users with explicit administrative privileges. If upgrading is not immediately possible, disable the /user/delete endpoint entirely and handle account deletions through administrative interfaces with stronger access controls. Monitor authentication logs for suspicious activity patterns suggesting credential compromise. Test all compensating controls thoroughly before deployment to avoid blocking legitimate administrative functions.

CVE-2025-7947 vulnerability details – vuln.today

Back