Cyber Resilience

CVE-2025-1388

High

Published: 17 February 2025

Published
17 February 2025
Modified
17 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 66.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1388 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Learningdigital Orca Hcm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1388, published on 2025-02-17, is an Arbitrary File Upload vulnerability (CWE-434) in Orca HCM, a human capital management software product from LEARNING DIGITAL. The flaw enables remote attackers with regular privileges to upload arbitrary files, including web shells, due to insufficient validation of uploaded file types.

Attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required, provided they possess low-level (regular) privileges on the affected system. Successful exploitation allows attackers to execute uploaded web shells, resulting in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories from TWCERT detail the vulnerability and are available at https://www.twcert.org.tw/en/cp-139-8430-32513-2.html and https://www.twcert.org.tw/tw/cp-132-8429-07d7e-1.html.

EU & UK References

Vulnerability details

Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload (CWE-434) in a remote web app directly enables web shell deployment (T1505.003) and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1389Same product: Learningdigital Orca Hcm
CVE-2025-1387Same product: Learningdigital Orca Hcm
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434

Affected Assets

learningdigital
orca hcm
≤ 11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly mandates validation of uploaded file content and format to block arbitrary files including web shells due to insufficient file type validation.

preventdetect

SI-3 deploys malicious code protection mechanisms to detect and eradicate web shells uploaded and executed via the vulnerability.

prevent

SI-2 requires timely identification, reporting, and correction of the specific arbitrary file upload flaw in Orca HCM.

References