CVE-2025-22953

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Epicor HCM version 2021 1.9

Description A SQL injection issue exists, specifically in the filter parameter of the "JsonFetcher.svc" endpoint. An attacker can exploit this by injecting malicious SQL payloads into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features, like xp cmdshell, are enabled, this may lead to remote code execution.

Recommendations For Epicor HCM version 2021 1.9, consider disabling the JsonFetcher.svc endpoint or restricting access to the filter parameter until a patch is available. Avoid using the filter parameter in the affected endpoint until the issue is resolved.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2025-22953

Affected Products

Epicor Hcm

CVE-2025-22953

Weakness Enumeration

Related Identifiers

Affected Products

References · 10