CVE-2025-66225

CVSS v3.1

8.8

High

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OrangeHRM versions 5.0 through 5.7

Description OrangeHRM is a human resource management system. A flaw exists in the password reset workflow where the system does not verify that the username submitted in the final reset request matches the account initiating the process. An attacker can modify the username parameter in the request to target a different user and successfully set a new password, leading to full account takeover, including privileged accounts. This affects versions 5.0 through 5.7. The issue is resolved in version 5.8.

Recommendations Upgrade to OrangeHRM version 5.8 or later.

Fix

Insufficient Verification of Data Authenticity

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-20CWE-640

Related Identifiers

CVE-2025-66225

GHSA-5GHW-9775-V263

Affected Products

Orangehrm

CVE-2025-66225

Weakness Enumeration

Related Identifiers

Affected Products

References · 8