Cybersecurity Vulnerabilities

CVE-2025-66290: Critical Recruitment Attachment Exposure in OrangeHRM – Update Immediately!

November 29, 2025 - By 

Overview

CVE-2025-66290 is a security vulnerability affecting OrangeHRM versions 5.0 through 5.7. This flaw allows unauthorized access to recruitment attachments, such as resumes and cover letters, by authenticated users, even those with limited ESS (Employee Self-Service) access who should not have access to the Recruitment module.

Technical Details

The vulnerability stems from a missing authorization check in the application’s recruitment attachment retrieval endpoint. When an authenticated request is made to this endpoint, OrangeHRM validates the user’s session but fails to verify whether the user possesses the necessary permissions to access the Recruitment module and candidate data. This oversight enables any authenticated user, regardless of their assigned roles and permissions, to download sensitive applicant documents by crafting direct requests to the attachment endpoint. Essentially, if you’re logged in, you can potentially access anyone’s resume who has applied through OrangeHRM.

CVSS Analysis

Due to the Common Vulnerability Scoring System (CVSS) score not being yet available (N/A), a proper CVSS analysis cannot be provided at this time. However, given the unauthorized exposure of potentially sensitive personal information such as resumes, the severity is likely to be rated as HIGH or CRITICAL. The lack of required permission checks for recruitment attachments constitutes a significant security risk.

Possible Impact

The exploitation of CVE-2025-66290 can lead to several serious consequences:

  • Data Breach: Unauthorized access to candidate resumes, cover letters, and other uploaded documents containing Personally Identifiable Information (PII).
  • Compliance Violations: Potential violation of data privacy regulations such as GDPR, CCPA, and others, resulting in fines and legal repercussions.
  • Reputational Damage: Loss of trust from candidates and employees due to the perceived lack of security measures.
  • Identity Theft: Information gleaned from exposed documents could be used for identity theft or other malicious activities.

Mitigation and Patch Steps

The vulnerability has been patched in OrangeHRM version 5.8. The following steps are strongly recommended:

  • Upgrade to Version 5.8: Immediately upgrade your OrangeHRM installation to version 5.8 or later. This is the primary and most effective mitigation.
  • Review User Permissions: After upgrading, review and verify the permissions of all users, ensuring that ESS users do not have unintended access to the Recruitment module.
  • Monitor Access Logs: Implement and monitor access logs for any suspicious activity related to the recruitment attachment endpoint.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *