CVE-2025-63294 identifies an insecure permissions vulnerability in WorkDo HRM SaaS HR and Payroll Tool version 8.1. The vulnerability allows any authenticated user within the system to create leave or resignation records on behalf of other users without proper authorization checks. This indicates a failure in access control mechanisms, where the application does not sufficiently verify whether the requesting user has the right to modify or create records for other employees. The flaw could be exploited by malicious insiders or compromised accounts to manipulate HR data, potentially causing unauthorized absences, premature resignations, or other workforce disruptions. Although the vulnerability requires authentication, it does not require administrative privileges, broadening the scope of potential attackers to any legitimate user. The lack of a CVSS score suggests the vulnerability is newly disclosed and not yet fully assessed. No known public exploits exist, indicating limited current exploitation but a risk for future abuse. The vulnerability impacts data integrity primarily, with possible secondary effects on availability if HR processes are disrupted. The absence of patch links suggests that a fix may not yet be available, emphasizing the need for interim mitigations. Organizations relying on WorkDo HRM for critical HR and payroll functions should prioritize reviewing user roles and permissions and monitoring for suspicious HR record changes.

For European organizations, this vulnerability poses a significant risk to the integrity of HR and payroll data, which are critical for compliance with labor laws and internal governance. Unauthorized creation of leave or resignation records can lead to workforce management errors, payroll discrepancies, and potential legal liabilities. In countries with strict employment regulations and data protection laws such as GDPR, improper handling or manipulation of employee records can result in regulatory penalties and reputational damage. The vulnerability could be exploited by disgruntled employees or attackers who gain access to user credentials, leading to internal sabotage or fraud. Additionally, inaccurate HR data may disrupt operational continuity, affecting productivity and employee morale. The risk is heightened in organizations with large, distributed workforces using SaaS HR platforms without granular access controls. Since WorkDo HRM is a SaaS tool, the impact also depends on the vendor’s response and patch deployment speed. European companies with outsourced HR functions or hybrid cloud environments may face challenges in timely mitigation and monitoring. Overall, the vulnerability threatens confidentiality indirectly through potential insider misuse and directly compromises data integrity and availability of HR services.

1. Immediately review and tighten user permissions within the WorkDo HRM platform to ensure that only authorized personnel can create or modify leave and resignation records for other users. 2. Implement role-based access control (RBAC) policies that strictly separate duties and minimize privilege overlap among users. 3. Monitor audit logs for unusual HR record creation or modification activities, focusing on patterns that indicate unauthorized actions. 4. Enforce multi-factor authentication (MFA) for all users to reduce the risk of compromised credentials being used to exploit this vulnerability. 5. Engage with the WorkDo vendor to obtain patches or updates addressing this insecure permissions issue as soon as they become available. 6. Conduct regular security awareness training for HR and administrative staff to recognize and report suspicious activities. 7. If possible, implement additional application-layer controls or compensating controls such as workflow approvals for leave and resignation submissions. 8. Consider isolating HRM SaaS access to trusted networks or VPNs to reduce exposure. 9. Prepare incident response plans specific to HR data integrity breaches to enable rapid containment and remediation. 10. Regularly back up HR data and verify backup integrity to enable recovery from malicious or accidental data tampering.