CVE-2025-22953
Published: 28 March 2025
Summary
CVE-2025-22953 is a critical-severity SQL Injection (CWE-89) vulnerability in Epicor Human Capital Management. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A SQL injection vulnerability affects Epicor HCM 2021 version 1.9 in the filter parameter of the JsonFetcher.svc endpoint. The flaw, tracked as CVE-2025-22953 and assigned CWE-89, permits injection of arbitrary SQL commands against the backend database. Patches addressing the issue are available in versions 5.16.0.1033 for HCM2022, 5.17.0.1146 for HCM2023, and 5.18.0.573 for HCM2024. The vulnerability carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker with network access can supply malicious payloads through the filter parameter to execute unauthorized SQL statements. When database features such as xp_cmdshell are enabled, the injection may further allow remote code execution on the underlying system.
Vendor and community advisories direct administrators to apply the listed patches. Public references, including an Epicor user-community alert and a detailed technical write-up, emphasize installing the updates to close the injection vector. The associated EPSS score has remained flat at 0.0195 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8652
Vulnerability details
A SQL injection vulnerability exists in Epicor HCM 2021 1.9, with patches available: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, and 5.18.0.573/HCM2024. The injection is specifically in the filter parameter of the JsonFetcher.svc endpoint. An attacker can exploit this vulnerability by injecting malicious SQL payloads…
more
into the filter parameter, enabling the unauthorized execution of arbitrary SQL commands on the backend database. If certain features (like xp_cmdshell) are enabled, this may lead to remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing JsonFetcher.svc endpoint directly enables T1190 Exploit Public-Facing Application for initial access. Arbitrary SQL execution facilitates T1059.003 Windows Command Shell via xp_cmdshell for RCE when enabled.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by validating and sanitizing the filter parameter in JsonFetcher.svc to block malicious SQL payloads.
Requires timely application of available patches (e.g., 5.16.0.1033/HCM2022) that specifically remediate the SQL injection vulnerability.
Restricts the filter parameter to authorized input types and quantities, reducing the opportunity for SQL injection payloads.