SQL injection in Epsilon RH
Epsilon RH
INCIBE has coordinated the publication of a critical severity vulnerability affecting Epsilon RH by Grupo Castilla, a system for human resources (HR). The vulnerability was discovered by Pedro Gabaldón Juliá, Javier Medina Munuera, Antonio José Gálvez Sánchez, Alejandro Baño Andrés and Álvaro Piñero Laorden.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-41028: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | CWE-89.
Grupo Castilla team has resolved the vulnerability reported in version 3.03.36.0121.
CVE-2025-41028: A SQL Injection vulnerability has been found in Epsilon RH by Grupo Castilla. This vulnerability allows an attacker to retrieve, create, update and delete database via sending a POST request using the parameter ‘sEstadoUsr’ in ‘/epsilonnetws/WSAvisos.asmx’.