CVE-2025-22953

CVSS 3.1 Score 9.8 of 10 (high)

Details

Published Mar 28, 2025

Updated: Apr 15, 2025

CWE ID 89

Summary

CVE-2025-22953 is a SQL injection vulnerability affecting Epicor HCM 2021 versions 1.9. This issue lies in the filter parameter of the JsonFetcher.svc endpoint, allowing an attacker to inject malicious SQL payloads. The exploitation of this vulnerability may result in unauthorized execution of arbitrary SQL commands, potentially leading to remote code execution if certain database features, such as xp_cmdshell, are enabled. Patches to mitigate this risk are available for HCM2022, HCM2023, and HCM2024, with versions 5.16.0.1033, 5.17.0.1146, and 5.18.0.573 respectively.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/2T9uIv
https://www.cve.org/CVERecord?id=CVE-2025-22953
https://nvd.nist.gov/vuln/detail/CVE-2025-22953

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Know What Matters

For Customers

For Partners

CVE-2025-22953

CVSS 3.1 Score 9.8 of 10 (high)

Details

Summary

Affected Products

Advisories, Assessments, and Mitigations