Cyber Resilience

CVE-2025-66224

CriticalRCE

Published: 29 November 2025

Published
29 November 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score v4 9.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 32.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66224 is a critical-severity Code Injection (CWE-94) vulnerability in Orangehrm Orangehrm. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66224 is an input neutralization vulnerability (CWE-94) affecting OrangeHRM, an open-source human resource management system, in versions 5.0 through 5.7. The flaw resides in the application's mail configuration and delivery workflow, where user-controlled values are incorporated unsanitized into OS-level sendmail commands. This allows attackers to invoke unintended sendmail behaviors, such as writing files to the server filesystem during email processing. Published on 2025-11-29, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers require low privileges, such as those of an authenticated OrangeHRM user, to exploit the issue remotely with low complexity and no user interaction. By manipulating inputs in the mail-sending logic, they can cause the application to write arbitrary files on the server as part of the mail-handling routine. In deployments where these files land in web-accessible locations, attackers can achieve execution of their controlled content, resulting in high-impact confidentiality, integrity, and availability compromises, including potential remote code execution.

OrangeHRM has patched the vulnerability in version 5.8. Additional details on the fix and affected configurations are available in the GitHub Security Advisory at https://github.com/orangehrm/orangehrm/security/advisories/GHSA-2w7w-h5wv-xr55.

EU & UK References

Vulnerability details

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because…

more

these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possible for the application to write files on the server as part of the mail-handling routine, and in deployments where those files end up in web-accessible locations, the behavior can be leveraged to achieve execution of attacker-controlled content. The issue stems entirely from constructing OS-level command strings using unsanitized input within the mail-sending logic. This issue has been patched in version 5.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability enables exploitation of a public-facing web application (T1190) via command injection in sendmail, allowing arbitrary file writes that facilitate web shell deployment and remote code execution (T1100) when files are placed in web-accessible directories.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57487Shared CWE-94
CVE-2025-70995Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-3352Shared CWE-94
CVE-2026-30117Shared CWE-94
CVE-2026-45708Shared CWE-94
CVE-2023-53888Shared CWE-94
CVE-2024-50660Shared CWE-94
CVE-2026-26699Shared CWE-94
CVE-2025-70073Shared CWE-94

Affected Assets

orangehrm
orangehrm
5.0 — 5.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of user-controlled inputs before incorporation into OS sendmail commands, preventing the command injection vulnerability.

prevent

Ensures timely identification, reporting, and patching of the input neutralization flaw, as demonstrated by the fix in OrangeHRM version 5.8.

prevent

Enforces restrictions on mail configuration inputs to block invalid or malicious values that could invoke unintended sendmail behaviors like arbitrary file writes.

References