Cyber Resilience

CVE-2025-66225

High

Published: 29 November 2025

Published
29 November 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66225 is a high-severity Improper Input Validation (CWE-20) vulnerability in Orangehrm Orangehrm. Its CVSS base score is 8.7 (High).

Operationally, ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally…

more

initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

orangehrm
orangehrm
5.0 — 5.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-640

Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-345

Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.

addresses: CWE-345

Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.

addresses: CWE-345

Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.

addresses: CWE-345

Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.

References