Epicor has officially released a patch addressing this vulnerability. All affected users are strongly advised to apply the update immediately.
🔗 Epicor Security Patch Announcement
An unauthenticated Blind SQL Injection vulnerability exists in the Epicor HCM software, version 2021 1.9 (Tested version, other versions can also be affected), specifically in the filter parameter of the JsonFetcher.svc endpoint.
An attacker can exploit this flaw to inject malicious SQL payloads and execute arbitrary queries on the backend database without authentication.
If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution.
JsonFetcher.svcfilterWhile this vulnerability has been publicly disclosed and assigned a CVE ID, no public proof of concept will be released at this time.
Although the vendor has released a patch, it appears that not all affected versions are covered, and some customers may still be at risk.
In an effort to protect unpatched environments and give organizations time to apply mitigations, the PoC will be withheld indefinitely.
This decision reflects a commitment to responsible disclosure and user safety. Should the vendor confirm full patch coverage, a redacted PoC may be considered in the future for defensive and detection purposes only.