SQL injection in Epsilon RH

Posted date 20/10/2025
Identificador
INCIBE-2025-0577
Importance
5 - Critical
Affected Resources

Epsilon RH

Description

INCIBE has coordinated the publication of a critical severity vulnerability affecting Epsilon RH by Grupo Castilla, a system for human resources (HR). The vulnerability was discovered by Pedro Gabaldón Juliá, Javier Medina Munuera, Antonio José Gálvez Sánchez, Alejandro Baño Andrés and Álvaro Piñero Laorden.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:

  • CVE-2025-41028: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | CWE-89.
Solution

Grupo Castilla team has resolved the vulnerability reported in version 3.03.36.0121.

Detail

CVE-2025-41028: A SQL Injection vulnerability has been found in Epsilon RH by Grupo Castilla. This vulnerability allows an attacker to retrieve, create, update and delete database via sending a POST request using the parameter ‘sEstadoUsr’ in ‘/epsilonnetws/WSAvisos.asmx’.

CVE
Explotación
No
References list
Etiquetas