CVE-2025-22953
Published: 28 March 2025
Description
Adversaries may abuse the Windows command shell for execution.
Security Summary
CVE-2025-22953, published on 2025-03-28, is a SQL injection vulnerability (CWE-89) in Epicor HCM 2021 1.9, specifically within the filter parameter of the JsonFetcher.svc endpoint. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high confidentiality, integrity, and availability impacts.
Unauthenticated attackers with network access can exploit this vulnerability by injecting malicious SQL payloads into the filter parameter of the JsonFetcher.svc endpoint. Successful exploitation enables arbitrary SQL command execution on the backend database. If server features such as xp_cmdshell are enabled, this could escalate to remote code execution.
Patches addressing this issue are available as follows: 5.16.0.1033 for HCM2022, 5.17.0.1146 for HCM2023, and 5.18.0.573 for HCM2024. Further details appear in community advisories, including the Epicor users forum alert at https://www.epiusers.help/t/alert-hcm-security-patch/124777, a technical writeup at https://tinted-hollyhock-92d.notion.site/EPICOR-HCM-Unauthenticated-Blind-SQL-Injection-CVE-2025-22953-170f1fdee211803988d1c9255a8cb904?pvs=4, and a GitHub repository at https://github.com/maliktawfiq/CVE-2025-22953.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing JsonFetcher.svc endpoint directly enables T1190 Exploit Public-Facing Application for initial access. Arbitrary SQL execution facilitates T1059.003 Windows Command Shell via xp_cmdshell for RCE when enabled.