AI description
CVE-2025-66224 is an input-neutralization flaw found in OrangeHRM versions 5.0 to 5.7. The vulnerability lies within the application's mail configuration and delivery workflow. User-controlled values are not sanitized before being incorporated into the system's sendmail command. This flaw makes it possible for the application to write files on the server during mail handling. If these files end up in web-accessible locations, it can lead to the execution of attacker-controlled content. The vulnerability has been patched in version 5.8.
- Description
- OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possible for the application to write files on the server as part of the mail-handling routine, and in deployments where those files end up in web-accessible locations, the behavior can be leveraged to achieve execution of attacker-controlled content. The issue stems entirely from constructing OS-level command strings using unsanitized input within the mail-sending logic. This issue has been patched in version 5.8.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- orangehrm
CVSS 4.0
- Type
- Secondary
- Base score
- 9
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-94
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
17
#exploit 1⃣. CVE-2025-31200, CVE-2025-31201: https://t.co/l1YEKl5Wn9 iMessage Zero‑Click RCE Chain 2⃣. CVE-2025-14282: https://t.co/xhWFlsnWsq Dropbear - privilege escalation via Unix domain socket forwarding 3⃣. CVE-2025-66224: https://t.co/BFGbZnVKgE OrangeHRM RCE 4
@ksg93rd
21 Dec 2025
12696 Impressions
68 Retweets
235 Likes
160 Bookmarks
0 Replies
0 Quotes
CVE-2025-66224 OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail config… https://t.co/wHs6piCmDB
@CVEnew
29 Nov 2025
400 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-66224: OrangeHRM is Vulnerable to Code ... Classic command injection in OrangeHRM's mail handler leads to arbitrary file write and RCE via sendmail parameter poll... https://t.co/dctxOCktTt #netsec #vulnerability #CVE #sysadmin #zeroday
@0dayPublishing
29 Nov 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:orangehrm:orangehrm:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6B30DE92-57A2-492F-A3F3-B8EFEEBEFE70",
"versionEndExcluding": "5.8",
"versionStartIncluding": "5.0"
}
],
"operator": "OR"
}
]
}
]