EPICOR HCM Unauthenticated Blind SQL Injection CVE-2025-22953# CVE-2025-22953 – Epicor HCM Unauthenticated Blind SQL Injection
## Summary
An unauthenticated **Blind SQL Injection** vulnerability exists in the **Epicor HCM** software, version **2021 1.9** (Tested version, other versions can also be affected), specifically in the `filter` parameter of the `JsonFetcher.svc` endpoint.
An attacker can exploit this flaw to inject malicious SQL payloads and execute arbitrary queries on the backend database without authentication.
If certain features (like `xp_cmdshell`) are enabled, this may lead to **remote code execution**.
---
## Affected Component
- **Endpoint:** `JsonFetcher.svc`
- **HTTP Method:** POST
- **Vulnerable Parameter:** `filter`
---
## Severity
- **CVSS v3.x Score:** 9.8 (Critical)
- **Attack Vector:** Remote
- **Authentication Required:** No
---
## Proof of Concept (PoC)
> **Note:**
> As the vendor has not released a fix and has remained unresponsive beyond the 90-day disclosure deadline, this CVE is being published for public awareness and defensive preparation.
>
> The **full PoC will be shared two months from this publication date**, even if the vendor has not yet issued a fix, to raise awareness among impacted organizations using Epicor HCM.
---
## References
- 🔗 [CVE-2025-22953 on CVE.org](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22953)
---
## Credits
This vulnerability was discovered and responsibly disclosed by **Malik Tawfiq**.
---
> This disclosure is part of a responsible vulnerability coordination effort. It is intended to inform the community and help protect impacted users until a proper patch is released.
[4.0K] /data/pocs/594d6030fb64e94e0393b93bfe0d861aed421ffb
└── [1.6K] README.md
0 directories, 1 file