CVE-2025-22953
📋 TL;DR
This is an unauthenticated SQL injection vulnerability in Epicor HCM's JsonFetcher.svc endpoint that allows attackers to execute arbitrary SQL commands on the backend database. Organizations running Epicor HCM 2021 1.9 without patches are affected. If extended stored procedures like xp_cmdshell are enabled, this could lead to full remote code execution.
💻 Affected Systems
- Epicor HCM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution leading to data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Database compromise allowing data exfiltration, privilege escalation, and potential access to sensitive HR/personnel information.
If Mitigated
Limited impact if proper network segmentation, database hardening, and input validation are in place.
🎯 Exploit Status
Public exploit code is available on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.16.0.1033/HCM2022, 5.17.0.1146/HCM2023, or 5.18.0.573/HCM2024
Vendor Advisory: https://www.epiusers.help/t/alert-hcm-security-patch/124777
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Epicor support portal. 2. Backup the system and database. 3. Apply the patch following Epicor's installation guide. 4. Restart the application services. 5. Verify the patch is applied correctly.
🔧 Temporary Workarounds
WAF Rule Implementation
allDeploy Web Application Firewall rules to block SQL injection patterns in the filter parameter
Endpoint Restriction
allRestrict access to JsonFetcher.svc endpoint to authorized IP addresses only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Epicor HCM servers from critical systems
- Disable xp_cmdshell and other extended stored procedures in SQL Server configuration
🔍 How to Verify
Check if Vulnerable:
Test the JsonFetcher.svc endpoint with SQL injection payloads in the filter parameter and monitor for database errors or unexpected responses.Check Version:
Check the application version in Epicor HCM administration panel or review installation logs.Verify Fix Applied:
After patching, attempt the same SQL injection tests and verify they are properly rejected or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed authentication attempts
- Suspicious filter parameter values in web server logs
Network Indicators:
- Unusual outbound database connections
- SQL error messages in HTTP responses
- Patterns matching SQL injection payloads
SIEM Query:
source="web_server" AND uri="*JsonFetcher.svc*" AND (param="*filter=*' OR *" OR param="*filter=*;--*")