CVE-2025-66289
📋 TL;DR
OrangeHRM versions 5.0 through 5.7 fail to invalidate active user sessions when accounts are disabled or passwords are changed. This allows disabled users or attackers with compromised credentials to maintain access indefinitely using existing session cookies. All organizations running affected OrangeHRM versions are vulnerable to unauthorized access and account takeover.
💻 Affected Systems
- OrangeHRM
📦 What is this software?
Orangehrm by Orangehrm
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised credentials maintains persistent access even after password reset, enabling prolonged data theft, privilege escalation, or system compromise.
Likely Case
Disabled employees retain access to HR systems, violating access controls and potentially exposing sensitive personnel data.
If Mitigated
With proper session management controls, impact is limited to temporary access until sessions naturally expire.
🎯 Exploit Status
Exploitation requires initial authentication but is trivial once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8
Vendor Advisory: https://github.com/orangehrm/orangehrm/security/advisories/GHSA-99qp-xh4q-pr9x
Restart Required: Yes
Instructions:
1. Backup your OrangeHRM installation and database. 2. Download OrangeHRM version 5.8 from the official repository. 3. Replace existing files with new version. 4. Run any database migration scripts. 5. Restart web server services.
🔧 Temporary Workarounds
Manual Session Invalidation
allManually clear session storage or invalidate sessions when disabling accounts or resetting passwords
# Requires custom code modification to clear session data
Reduce Session Lifetime
allConfigure shorter session timeout values to limit exposure window
# Modify session.gc_maxlifetime in php.ini or application configuration
🧯 If You Can't Patch
- Implement mandatory periodic password resets for all users
- Deploy network segmentation to isolate OrangeHRM from critical systems
🔍 How to Verify
Check if Vulnerable:
Check OrangeHRM version in admin panel or by examining application files. Versions 5.0-5.7 are vulnerable.Check Version:
Check OrangeHRM version in Admin → System Info or examine version.php fileVerify Fix Applied:
After upgrading to 5.8, test that disabling a user account immediately invalidates active sessions.📡 Detection & Monitoring
Log Indicators:
- User activity after account disable timestamps
- Session IDs persisting beyond password change events
Network Indicators:
- Unusual session duration patterns
- Access from disabled user accounts
SIEM Query:
source="orangehrm.log" (event="user_disable" OR event="password_change") AND same_session_id activity after event