CVE-2025-44040
Last modified
CVE-2025-44040 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier because an adversary has no way to place the specific MD5 value into the credential store (unless they already have full privileges) and because the specific MD5 value would not realistically be present otherwise.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Orangehrm | Orangehrm | 5.7 |
References
- https://github.com/hexomedin3/advisories/tree/main/CVE-2025-44040Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2025-44040?
How severe is CVE-2025-44040?
How do I fix CVE-2025-44040?
Are you affected by CVE-2025-44040?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST