Affected Version<\/strong>: 5.7
Vulnerability Type<\/strong>: Improper Neutralization of Special Elements used in an OS Command (CWE-78)
Security Risk<\/strong>: Critical
Vendor<\/strong>: OrangeHRM Inc
Vendor URL<\/strong>: https:\/\/www.orangehrm.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-66224
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-66224<\/a>
Advisory ID<\/strong>: usd-2025-47<\/p>\n
Description<\/h3>\n
OrangeHRM describes itself as a comprehensive Human Resource Management (HRM) System that captures all the essential functionalities required for any enterprise. OrangeHRM OS is its open source version.<\/p>\n
Version 5.7 of OrangeHRM allows authenticated attackers OS command injection via mail configuration.<\/p>\n
First of all, it should be noted that certain requirements must be met for successful exploitation:<\/p>\n
- \n
- A properly installed and configured version of sendmail<\/strong> is required. According to the GitHub issues, the Ubuntu sendmail<\/strong> package does not work properly with the -bs<\/strong> parameter. See here: https:\/\/github.com\/orangehrm\/orangehrm\/issues\/1734<\/a> This setting can only be changed via database access. Additionally, sendmail<\/strong> must be selected as the active mail component for sending emails. This setting can be configured by administrative accounts within the application.<\/li>\n
- Provided that sendmail<\/strong> is properly installed, configured and selected as the active mail component for sending emails, exploitation is also possible by users with low privileges.<\/li>\n<\/ul>\n
Proof of Concept<\/h3>\n
Administrative users can perform the mail configuration in the administration menu. For successful exploitation, sendmail<\/strong> must be selected as the sending method, as shown in the following screenshot:<\/p>\n
![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/11\/mail_configuration.png\")
<\/p>\nThe default value for the path to sendmail is \/usr\/bin\/sendmail -bs<\/strong>. As described in issue 1734 https:\/\/github.com\/orangehrm\/orangehrm\/issues\/1734,<\/a> sending mails fails with this setting in Ubuntu. As a workaround, the parameter must be changed from -bs<\/strong> to -t<\/strong>. This setting can only be changed with database access.<\/p>\n
With the working configuration, a low-privileged user can now, for example, use the password reset function to generate and send an email. The user can specify the name and email address themselves. It is possible to embed PHP code as the name, such as <?php phpinfo();?><\/strong>. The email address can be set, as in the following example, as -X\/var\/www\/html\/exec@mail.php<\/strong>, which is then passed to the sendmail command. The -X<\/strong> parameter in sendmail is used to save the sent mail in a log file. As shown, the storage location of the log file is defined with the .php<\/strong> file extension in the webroot:<\/p>\n
![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/11\/personalinfos.png\")
<\/p>\nWhen a user now uses the password reset function, the logged email is stored in the file exec@mail.php<\/strong> in the web root. The PHP code previously entered in the name field is executed, as shown here:<\/p>\n
![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/11\/exec.png\")
<\/p>\nFix<\/h3>\n
It is recommended to always validate and sanitize all inputs used in OS commands, employ parameterized APIs whenever possible, and avoid constructing command strings with user-controlled data.<\/p>\nReferences<\/h3>\n
<\/p>\n
- \n
- https:\/\/github.com\/orangehrm\/orangehrm<\/a><\/li>\n
- https:\/\/github.com\/orangehrm\/orangehrm\/security\/advisories\/GHSA-2w7w-h5wv-xr55<\/a><\/li>\n<\/ul>\n
Timeline<\/h3>\n
- \n
- 2025-09-12<\/strong>: First contact request via e-mail.<\/li>\n
- 2025-09-15<\/strong>: Vulnerability details have been transmitted through an encrypted channel.<\/li>\n
- 2025-10-07<\/strong>: Asked the vendor for an update.<\/li>\n
- 2025-10-08<\/strong>: Vendor has confirmed the vulnerability and initiated remediation.<\/li>\n
- 2025-11-11<\/strong>: Vendor has asked to extend the disclosure timeline while QA testing and finalizing the patch.<\/li>\n
- 2025-11-11<\/strong>: We agreed to extend the timeline.<\/li>\n
- 2025-11-28<\/strong>:\u00a0The vendor has released a patch (v5.8)<\/li>\n
- 2025-12-01<\/strong>: This advisory is published.<\/li>\n<\/ul>\n
Credits<\/h3>\n
This security vulnerability was identified by Florian Dewald, Roman Hergenreder, Florian Kimmes, DR, Jakob Steeg, and Ole Wagner of usd AG.<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
usd-2025-47 | OrangeHRM OS 5.7 - Improper Neutralization of Special Elements used in an OS Command Product: OrangeHRM OSAffected Version: 5.7Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command (CWE-78)Security Risk: CriticalVendor: OrangeHRM IncVendor URL: https:\/\/www.orangehrm.com\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: CVE-2025-66224CVE Link: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-66224Advisory ID: usd-2025-47 Description OrangeHRM describes itself as […]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-24594","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=24594"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24594\/revisions"}],"predecessor-version":[{"id":24702,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24594\/revisions\/24702"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=24594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- 2025-09-15<\/strong>: Vulnerability details have been transmitted through an encrypted channel.<\/li>\n
- https:\/\/github.com\/orangehrm\/orangehrm\/security\/advisories\/GHSA-2w7w-h5wv-xr55<\/a><\/li>\n<\/ul>\n
- Provided that sendmail<\/strong> is properly installed, configured and selected as the active mail component for sending emails, exploitation is also possible by users with low privileges.<\/li>\n<\/ul>\n