Unrated severityNVD Advisory· Published Mar 28, 2025· Updated Apr 15, 2025

CVE-2025-22953

Description

A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting malicious SQL payloads into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution.

Affected products

Epicor/HCMdescription
Epicor/HCMllm-create
Range: HCM 2021 1.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

tinted-hollyhock-92d.notion.site/EPICOR-HCM-Unauthenticated-Blind-SQL-Injection-CVE-2025-22953-170f1fdee211803988d1c9255a8cb904mitre
www.epiusers.help/t/alert-hcm-security-patch/124777mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000