An unauthenticated Blind SQL Injection vulnerability exists in the Epicor HCM software, version 2021 1.9 (Tested version, other versions can also be affected), specifically in the filter parameter of the JsonFetcher.svc endpoint.
An attacker can exploit this flaw to inject malicious SQL payloads and execute arbitrary queries on the backend database without authentication.
If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution.
JsonFetcher.svcfilterNote:
As the vendor has not released a fix and has remained unresponsive beyond the 90-day disclosure deadline, this CVE is being published for public awareness and defensive preparation.
The full PoC will be shared two months from this publication date, even if the vendor has not yet issued a fix, to raise awareness among impacted organizations using Epicor HCM.
| Date | Action |
|---|---|
| 2025-01-02 | ME: Initial report sent to [email protected], [email protected] |
| 2025-01-17 | Epicor: acknowledged the report and requested version details |
| 2025-01-22 | ME: Provided vulnerable version (Epicor HCM 2021 1.9) and full exploit |
| 2025-01-29 | ME: Shared intent to wait for fix |
| 2025-02-06 | ME: Follow-up email asking for fix status |
| 2025-02-11 | ME: Shared CVE assignment (CVE-2025-22953) and requested affected versions |
| 2025-02-17 | ME: Another follow-up with no response |
| 2025-02-21 | ME: Sent 90-day disclosure notice (Deadline: April 2, 2025) |
| 2025-03-21 | ME: Final follow-up, still no vendor response |
| 2025-03-25 | ME: Public disclosure of CVE-2025-22953 |