CVE-2025-44040

Published: May 21, 2025

Modified: Oct 13, 2025

PUBLISHED

Description

An issue in OrangeHRM v.5.7 allows an attacker to escalate privileges via UserService.php and the checkForOldHash function. Authentication decisions may be made via PHP loose-equality comparisons if a specific MD5 value is present in the credential store. NOTE: this is disputed by the Supplier because an adversary has no way to place the specific MD5 value into the credential store (unless they already have full privileges) and because the specific MD5 value would not realistically be present otherwise.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/orangehrm/orangehrm/releases/tag/v5.7

https://github.com/hexomedin3/advisories/tree/main/CVE-2025-44040

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-44040

Description

Affected Products

References