Critical Vulnerabilities in Orca HCM
CVE-2025-1388 and CVE-2025-1387 are critical vulnerabilities found in the Orca HCM software developed by Learning Digital. These vulnerabilities pose significant risks to organizations using this software, as they allow unauthorized access and control over the system.(February 16, 2025)
CVE-2025-1388 is classified as an Arbitrary File Upload vulnerability, allowing remote attackers with regular privileges to upload malicious files, such as web shells, to the server. This vulnerability affects versions of Orca HCM up to 10.x and has been rated with a CVSS score of 8.8, indicating a high level of severity. The unrestricted upload capability can lead to severe implications for confidentiality, integrity, and availability of the affected systems.
The exploitation of this vulnerability can allow attackers to execute arbitrary code on the server, potentially leading to data breaches, unauthorized access to sensitive information, and service disruptions. The vulnerability is deemed easy to exploit, making it a significant concern for organizations that have not yet upgraded to version 11.0 or later.
An attacker with basic access privileges could exploit this vulnerability by uploading a malicious PHP file disguised as an image. Once uploaded, the attacker could execute the file remotely, gaining full control over the server and accessing sensitive data stored within the application.
CVE-2025-1387 is categorized as an Improper Authentication vulnerability. It allows unauthenticated remote attackers to log into the system as any user without proper credentials. This vulnerability also affects versions of Orca HCM prior to 11.0 and has been assigned a CVSS score of 9.8, marking it as critical.
This flaw allows attackers to bypass authentication mechanisms entirely, which can lead to unauthorized access to user accounts and sensitive information. The potential for misuse is high, as attackers could impersonate legitimate users or administrators, further compromising system security.
An attacker could leverage this vulnerability by sending crafted requests that exploit the authentication mechanism. By doing so, they could gain immediate access to administrative functionalities and sensitive data without needing valid credentials.
Organizations using Orca HCM are strongly advised to take immediate action:
: Update to version 11.0 or later for both vulnerabilities.
: Implement monitoring solutions to detect unusual activities that may indicate exploitation attempts.
: Conduct regular security assessments and audits to identify potential vulnerabilities in their systems.
By addressing these vulnerabilities promptly, organizations can significantly reduce their risk exposure and protect their sensitive data from potential threats.