Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-22953

A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting malicious SQL payloads into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution.

Published

2025-03-28T21:15:17.617

Last Modified

2025-04-15T15:16:07.327

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Secondary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	epicor	human_capital_management	2021_1.9	Yes

References

https://github.com/maliktawfiq/CVE-2025-22953 ([email protected])
https://tinted-hollyhock-92d.notion.site/EPICOR-HCM-Unauthenticated-Blind-SQL-Injection-CVE-2025-22953-170f1fdee211803988d1c9255a8cb904?pvs=4 Third Party Advisory ([email protected])
https://www.epiusers.help/t/alert-hcm-security-patch/124777 ([email protected])