Cyber Posture

CVE-2025-1387

Critical

Published: 17 February 2025

Published
17 February 2025
Modified
17 November 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 69.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1387 is a critical-severity Weak Authentication (CWE-1390) vulnerability in Learningdigital Orca Hcm. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 30.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match
prevent

Requires systems to uniquely identify and authenticate organizational users before granting access, directly preventing unauthenticated attackers from logging in as any user.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Explicitly identifies and authorizes only specific actions without identification or authentication, prohibiting unauthenticated logins to the system.

AC-3 Access Enforcement good match
prevent

Enforces approved access authorizations in accordance with policy, ensuring logical access requires proper authentication and mitigating impersonation vulnerabilities.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct auth bypass on public-facing HCM app enables use of valid accounts (T1078) via exploitation of remote application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.

Deeper analysisAI

CVE-2025-1387, published on 2025-02-17, is an Improper Authentication vulnerability (CWE-1390) affecting Orca HCM, a human capital management system from LEARNING DIGITAL. The flaw enables unauthenticated remote attackers to log in to the system as any user, bypassing normal authentication controls. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network vector, low complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability.

Any unauthenticated remote attacker can exploit this vulnerability by targeting the affected Orca HCM instance over the network. Successful exploitation grants the attacker the ability to impersonate any user account, potentially allowing full administrative access, data exfiltration, system modification, or service disruption depending on the targeted user's privileges.

Advisories from TWCERT/CC detail mitigation steps and are available at https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html and https://www.twcert.org.tw/tw/cp-132-8427-daea8-1.html.

Details

CWE(s)
CWE-1390

Affected Products

learningdigital
orca hcm
≤ 11.0

CVEs Like This One

CVE-2025-1388Same product: Learningdigital Orca Hcm
CVE-2025-1389Same product: Learningdigital Orca Hcm
CVE-2026-4924Shared CWE-1390
CVE-2024-48886Shared CWE-1390
CVE-2025-12870Shared CWE-1390
CVE-2023-53894Shared CWE-1390
CVE-2025-40554Shared CWE-1390
CVE-2025-40552Shared CWE-1390
CVE-2026-28710Shared CWE-1390
CVE-2026-4828Shared CWE-1390

References