CVE-2025-1388

High

Published: 17 February 2025

Published

17 February 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0051 66.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Orca HCM from LEARNING DIGITAL has an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload and run web shells

Security Summary

CVE-2025-1388, published on 2025-02-17, is an Arbitrary File Upload vulnerability (CWE-434) in Orca HCM, a human capital management software product from LEARNING DIGITAL. The flaw enables remote attackers with regular privileges to upload arbitrary files, including web shells, due to insufficient validation of uploaded file types.

Attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required, provided they possess low-level (regular) privileges on the affected system. Successful exploitation allows attackers to execute uploaded web shells, resulting in high impacts to confidentiality, integrity, and availability, as reflected in the CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Advisories from TWCERT detail the vulnerability and are available at https://www.twcert.org.tw/en/cp-139-8430-32513-2.html and https://www.twcert.org.tw/tw/cp-132-8429-07d7e-1.html.

Details

CWE(s): CWE-434

Affected Products

learningdigital

orca hcm

≤ 11.0

References

https://www.twcert.org.tw/en/cp-139-8430-32513-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-8429-07d7e-1.html
Third Party Advisory · twcert@cert.org.tw