CVE-2025-66224
Published: 29 November 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-66224 is an input neutralization vulnerability (CWE-94) affecting OrangeHRM, an open-source human resource management system, in versions 5.0 through 5.7. The flaw resides in the application's mail configuration and delivery workflow, where user-controlled values are incorporated unsanitized into OS-level sendmail commands. This allows attackers to invoke unintended sendmail behaviors, such as writing files to the server filesystem during email processing. Published on 2025-11-29, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers require low privileges, such as those of an authenticated OrangeHRM user, to exploit the issue remotely with low complexity and no user interaction. By manipulating inputs in the mail-sending logic, they can cause the application to write arbitrary files on the server as part of the mail-handling routine. In deployments where these files land in web-accessible locations, attackers can achieve execution of their controlled content, resulting in high-impact confidentiality, integrity, and availability compromises, including potential remote code execution.
OrangeHRM has patched the vulnerability in version 5.8. Additional details on the fix and affected configurations are available in the GitHub Security Advisory at https://github.com/orangehrm/orangehrm/security/advisories/GHSA-2w7w-h5wv-xr55.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables exploitation of a public-facing web application (T1190) via command injection in sendmail, allowing arbitrary file writes that facilitate web shell deployment and remote code execution (T1100) when files are placed in web-accessible directories.