CVE-2025-1388

High

Published: 17 February 2025

Published

17 February 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0051 66.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1388 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Learningdigital Orca Hcm. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly mandates validation of uploaded file content and format to block arbitrary files including web shells due to insufficient file type validation.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 deploys malicious code protection mechanisms to detect and eradicate web shells uploaded and executed via the vulnerability.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and correction of the specific arbitrary file upload flaw in Orca HCM.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file upload (CWE-434) in a remote web app directly enables web shell deployment (T1505.003) and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells

Deeper analysisAI

CVE-2025-1388, published on 2025-02-17, is an Arbitrary File Upload vulnerability (CWE-434) in Orca HCM, a human capital management software product from LEARNING DIGITAL. The flaw enables remote attackers with regular privileges to upload arbitrary files, including web shells, due to insufficient validation of uploaded file types.

Attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required, provided they possess low-level (regular) privileges on the affected system. Successful exploitation allows attackers to execute uploaded web shells, resulting in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories from TWCERT detail the vulnerability and are available at https://www.twcert.org.tw/en/cp-139-8430-32513-2.html and https://www.twcert.org.tw/tw/cp-132-8429-07d7e-1.html.