Cyber Resilience

CVE-2025-22953

Critical

Published: 28 March 2025

Published
28 March 2025
Modified
15 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0195 83.8th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22953 is a critical-severity SQL Injection (CWE-89) vulnerability in Epicor Human Capital Management. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A SQL injection vulnerability affects Epicor HCM 2021 version 1.9 in the filter parameter of the JsonFetcher.svc endpoint. The flaw, tracked as CVE-2025-22953 and assigned CWE-89, permits injection of arbitrary SQL commands against the backend database. Patches addressing the issue are available in versions 5.16.0.1033 for HCM2022, 5.17.0.1146 for HCM2023, and 5.18.0.573 for HCM2024. The vulnerability carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker with network access can supply malicious payloads through the filter parameter to execute unauthorized SQL statements. When database features such as xp_cmdshell are enabled, the injection may further allow remote code execution on the underlying system.

Vendor and community advisories direct administrators to apply the listed patches. Public references, including an Epicor user-community alert and a detailed technical write-up, emphasize installing the updates to close the injection vector. The associated EPSS score has remained flat at 0.0195 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting malicious SQL payloads…

more

into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
Why these techniques?

Unauthenticated SQL injection in public-facing JsonFetcher.svc endpoint directly enables T1190 Exploit Public-Facing Application for initial access. Arbitrary SQL execution facilitates T1059.003 Windows Command Shell via xp_cmdshell for RCE when enabled.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

epicor
human capital management
2021_1.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection by validating and sanitizing the filter parameter in JsonFetcher.svc to block malicious SQL payloads.

prevent

Requires timely application of available patches (e.g., 5.16.0.1033/HCM2022) that specifically remediate the SQL injection vulnerability.

prevent

Restricts the filter parameter to authorized input types and quantities, reducing the opportunity for SQL injection payloads.

References