CVE-2025-66224
Published: 29 November 2025
Summary
CVE-2025-66224 is a high-severity Code Injection (CWE-94) vulnerability in Orangehrm Orangehrm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-controlled inputs before incorporation into OS sendmail commands, preventing the command injection vulnerability.
Ensures timely identification, reporting, and patching of the input neutralization flaw, as demonstrated by the fix in OrangeHRM version 5.8.
Enforces restrictions on mail configuration inputs to block invalid or malicious values that could invoke unintended sendmail behaviors like arbitrary file writes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing web application (T1190) via command injection in sendmail, allowing arbitrary file writes that facilitate web shell deployment and remote code execution (T1100) when files are placed in web-accessible directories.
NVD Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because…
more
these values are not sanitized or constrained before being incorporated into the command execution path, certain sendmail behaviors can be unintentionally invoked during email processing. This makes it possible for the application to write files on the server as part of the mail-handling routine, and in deployments where those files end up in web-accessible locations, the behavior can be leveraged to achieve execution of attacker-controlled content. The issue stems entirely from constructing OS-level command strings using unsanitized input within the mail-sending logic. This issue has been patched in version 5.8.
Deeper analysisAI
CVE-2025-66224 is an input neutralization vulnerability (CWE-94) affecting OrangeHRM, an open-source human resource management system, in versions 5.0 through 5.7. The flaw resides in the application's mail configuration and delivery workflow, where user-controlled values are incorporated unsanitized into OS-level sendmail commands. This allows attackers to invoke unintended sendmail behaviors, such as writing files to the server filesystem during email processing. Published on 2025-11-29, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers require low privileges, such as those of an authenticated OrangeHRM user, to exploit the issue remotely with low complexity and no user interaction. By manipulating inputs in the mail-sending logic, they can cause the application to write arbitrary files on the server as part of the mail-handling routine. In deployments where these files land in web-accessible locations, attackers can achieve execution of their controlled content, resulting in high-impact confidentiality, integrity, and availability compromises, including potential remote code execution.
OrangeHRM has patched the vulnerability in version 5.8. Additional details on the fix and affected configurations are available in the GitHub Security Advisory at https://github.com/orangehrm/orangehrm/security/advisories/GHSA-2w7w-h5wv-xr55.
Details
- CWE(s)