CVE-2025-1387

Critical

Published: 17 February 2025

Published

17 February 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0061 69.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Orca HCM from LEARNING DIGITAL has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to log in to the system as any user.

Security Summary

CVE-2025-1387, published on 2025-02-17, is an Improper Authentication vulnerability (CWE-1390) affecting Orca HCM, a human capital management system from LEARNING DIGITAL. The flaw enables unauthenticated remote attackers to log in to the system as any user, bypassing normal authentication controls. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its critical severity due to network vector, low complexity, no privileges or user interaction required, and high impacts across confidentiality, integrity, and availability.

Any unauthenticated remote attacker can exploit this vulnerability by targeting the affected Orca HCM instance over the network. Successful exploitation grants the attacker the ability to impersonate any user account, potentially allowing full administrative access, data exfiltration, system modification, or service disruption depending on the targeted user's privileges.

Advisories from TWCERT/CC detail mitigation steps and are available at https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html and https://www.twcert.org.tw/tw/cp-132-8427-daea8-1.html.

Details

CWE(s): CWE-1390

Affected Products

learningdigital

orca hcm

≤ 11.0

References

https://www.twcert.org.tw/en/cp-139-8428-59a9a-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-8427-daea8-1.html
Third Party Advisory · twcert@cert.org.tw