OrangeHRM Open Source versions 5.0 through 5.8 use AES in ECB mode to encrypt sensitive fields. ECB mode preserves block‑aligned plaintext patterns in the ciphertext, which is a weakness classified as CWE‑326. This flaw allows an attacker who can read the encrypted data to observe repeating patterns that correspond to identical plaintext blocks, revealing structural information about the data without the need for key recovery. The result is a loss of confidentiality for fields that should remain protected, such as employee personal identifiers or credentials. The vulnerability does not provide code execution or direct system compromise; its impact is limited to pattern disclosure and potential inference of sensitive values.

The affected product is OrangeHRM Open Source. Versions from 5.0 up to and including 5.8 are vulnerable. Version 5.8.1 and later include a fix that replaces AES‑ECB with a stronger encryption mode, eliminating the pattern disclosure issue.

The CVSS score of 2.1 indicates low severity, and the EPSS score of less than 1% reflects a low likelihood of exploitation. OrangeHRM is not listed in the CISA KEV catalog, suggesting that this flaw is not widely exploited. Attackers would need legitimate or compromised read access to the database or application configuration to benefit from the pattern disclosure. Because the vulnerability exposes only statistical patterns and not plaintext, the immediate threat is a potential compromise of data confidentiality rather than a full system takeover. Nevertheless, in environments where sensitive employee data is stored, pattern leakage could aid in reconstructing passwords, identifiers, or other protected fields when combined with additional information.