CVE-2025-1389

High

Published: 17 February 2025

Published

17 February 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Orca HCM from Learning Digital has a SQL Injection vulnerability, allowing attackers with regular privileges to inject arbitrary SQL commands to read, modify, and delete database contents.

Security Summary

CVE-2025-1389 is a SQL injection vulnerability (CWE-89) affecting Orca HCM, a human capital management software product from Learning Digital. Published on 2025-02-17, the flaw enables attackers to inject arbitrary SQL commands into the application, allowing them to read, modify, and delete database contents. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

Attackers with low (regular) privileges can exploit this vulnerability remotely without requiring user interaction. Exploitation involves crafting malicious SQL inputs that execute arbitrary commands on the underlying database, potentially granting unauthorized access to sensitive data, altering records, or causing data loss across the affected system.

Advisories detailing mitigations and patches are available from TWCERT/CC at https://www.twcert.org.tw/en/cp-139-8432-4b516-2.html and https://www.twcert.org.tw/tw/cp-132-8431-61e42-1.html.

Details

CWE(s): CWE-89

Affected Products

learningdigital

orca hcm

≤ 11.0

References

https://www.twcert.org.tw/en/cp-139-8432-4b516-2.html
Third Party Advisory · twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-8431-61e42-1.html
Third Party Advisory · twcert@cert.org.tw