Authenticated Remote Code Execution in Horilla HRM v1.3 (CVE‑2025‑48868) Exposes Enterprises to Full System Compromise
What Happened — A publicly‑available exploit (EDB‑52497) targets an authenticated remote‑code‑execution flaw (CVE‑2025‑48868) in Horilla HRM software version ≤ 1.3. The script logs in with valid credentials, creates a project, and injects a payload that opens a reverse shell on the victim host.
Why It Matters for TPRM —
- An attacker who obtains or guesses a legitimate user account can gain arbitrary code execution on any server running Horilla HRM.
- Compromise of the HRM platform can expose employee personal data, payroll information, and internal network credentials.
- The vulnerability is exploitable on default Docker/Ubuntu deployments, meaning many SaaS‑hosted or on‑premise installations are at risk.
Who Is Affected — HR/Payroll SaaS providers, enterprise HR departments, managed service providers that host Horilla instances, and any organization that has deployed Horilla HRM ≤ v1.3.
Recommended Actions —
- Verify whether Horilla HRM v1.3 or earlier is in use across your vendor ecosystem.
- Apply the vendor‑released patch (or upgrade to the latest major version) immediately.
- Rotate all Horilla service‑account passwords and enforce MFA where possible.
- Conduct a focused penetration test on the HRM environment to confirm no back‑doors remain.
Technical Notes — The exploit requires valid credentials (authenticated RCE) and abuses a server‑side request handling flaw in the /project/project-bulk-archive endpoint. No CVE‑specific mitigation was listed in the advisory; the vendor released a patch shortly after disclosure. Data types at risk include personally identifiable information (PII), payroll records, and internal HR communications. Source: Exploit‑DB 52497