PT-2025-13576 · Epicor · Epicor Hcm

Malik Tawfiq

Publicado

2025-03-28

Atualizado

2025-04-11

CVE-2025-22953

CVSS v3.1

9.8

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Epicor HCM version 2021 1.9

Description A SQL injection issue exists, specifically in the filter parameter of the "JsonFetcher.svc" endpoint. An attacker can exploit this by injecting malicious SQL payloads into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features, like xp cmdshell, are enabled, this may lead to remote code execution.

Recommendations For Epicor HCM version 2021 1.9, consider disabling the JsonFetcher.svc endpoint or restricting access to the filter parameter until a patch is available. Avoid using the filter parameter in the affected endpoint until the issue is resolved.

Exploit

Correção

RCE

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2025-22953

Produtos afetados

Epicor Hcm

PT-2025-13576 · Epicor · Epicor Hcm

CVE-2025-22953

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10