Affected Version<\/strong>: 5.7
Vulnerability Type<\/strong>: Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Security Risk<\/strong>: High
Vendor<\/strong>: OrangeHRM Inc
Vendor URL<\/strong>: https:\/\/www.orangehrm.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-66225
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-66225<\/a>
Advisory ID<\/strong>: usd-2025-46<\/p>\n
Description<\/h3>\n
OrangeHRM describes itself as a comprehensive Human Resource Management (HRM) System that captures all the essential functionalities required for any enterprise. OrangeHRM OS is its open source version.<\/p>\n
Version 5.7 of OrangeHRM allows authenticated attackers to take over arbitrary other accounts, including administrative accounts, via a vulnerability in the password reset process.<\/p>\n
Proof of Concept<\/h3>\n
First, a password reset is initiated for an arbitrary account to which the attacker has access via the Forgot your password?<\/em> link on the login page. It is important that the account is configured such that the attacker receives the password reset e-mail. The password reset e-mail contains a link that marks the next step in the password reset process.<\/p>\n When completing the form, a request such as shown in the following listing is sent.<\/p>\n <\/p>\n _token<\/span>=<\/span>674e0cfd8763884[...]2yw<\/span>&<\/span>username<\/span>=<\/span>attacker<\/span>&<\/span>password<\/span>=<\/span>Password123456%21<\/span>&<\/span>confirmPassword<\/span>=<\/span>Password123456%21<\/span><\/p>\n<\/div>\n The request contains the username for which the password is changed. That parameter can be changed arbitrarily in the request to reset the password of another user. For example, intercepting the above request and modifying it to the request shown in the following listing changes the password for the admin<\/strong> user.<\/p>\n The attacker can now login into account admin<\/strong> with password Password123456!<\/strong>.<\/p>\n Note that the _token<\/strong> parameter is a CSRF-token. It is specifically scoped to that stage in the password reset process and can only be used once such that no other CSRF-token can be used. This is the reason why the resetPassword<\/strong> endpoint cannot be accessed without having an arbitrary but valid password reset link and thus requires attackers to have access to an arbitrary account first.<\/p>\n The resetPassword<\/strong> endpoint should verify that the username<\/strong> parameter matches to the one for which a password reset has been initiated via the reset link.<\/p>\n This security vulnerability was identified by Florian Dewald, Roman Hergenreder, Florian Kimmes, DR, Jakob Steeg, and Ole Wagner of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2025-46 | OrangeHRM OS 5.7 - Authenticated Account Takeover via Insecure Password Reset Product: OrangeHRM OSAffected Version: 5.7Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password (CWE-640)Security Risk: HighVendor: OrangeHRM IncVendor URL: https:\/\/www.orangehrm.com\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2025-66225CVE Link: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-66225Advisory ID: usd-2025-46 Description OrangeHRM describes itself as a comprehensive Human Resource Management (HRM) […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-24558","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=24558"}],"version-history":[{"count":4,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24558\/revisions"}],"predecessor-version":[{"id":24693,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24558\/revisions\/24693"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=24558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/11\/reset-initial.png\")
<\/p>\n<\/span>POST<\/span> \/web\/index.php\/auth\/resetPassword<\/span> HTTP<\/span>\/<\/span>1.1\n<\/span>Host<\/span>:<\/span> 10.3.161.14\n<\/span>Cookie<\/span>:<\/span> _orangehrm=j5bqlmhnuhfg05oenp7n6cjkao\n<\/span>Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded\n<\/span>Content-Length<\/span>:<\/span> 204\n<\/span>[...]<\/span><\/pre>\n<\/span>POST<\/span> \/web\/index.php\/auth\/resetPassword<\/span> HTTP<\/span>\/<\/span>1.1\n<\/span>Host<\/span>:<\/span> 10.3.161.14\n<\/span>Cookie<\/span>:<\/span> _orangehrm=j5bqlmhnuhfg05oenp7n6cjkao\n<\/span>Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded\n<\/span>Content-Length<\/span>:<\/span> 201\n<\/span>[...]\n\n<\/span>_token<\/span>=<\/span>674e0cfd8763884[...]2yw<\/span>&<\/span>username<\/span>=<\/span>admin<\/span>&<\/span>password<\/span>=<\/span>Password123456%21<\/span>&<\/span>confirmPassword<\/span>=<\/span>Password123456%21<\/span><\/pre>\n<\/div>\nFix<\/h3>\n
References<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n