Critical

SQL Injection in Epsilon RH WSAvisos.asmx sEstadoUsr Parameter

IdentifiersCVE-2025-41028CWE-89· Improper Neutralization of Special…

CVE-2025-41028 is a critical SQL injection vulnerability in Epsilon RH by Grupo Castilla. The flaw affects the '/epsilonnetws/WSAvisos.asmx' endpoint, where the 'sEstadoUsr' POST parameter is not properly neutralized before being incorporated into SQL queries. A remote attacker can send crafted POST requests to this web service to manipulate backend database operations. According to the available advisory information, successful exploitation allows retrieval, creation, modification, and deletion of database records. No specific affected versions were listed in the provided content, but the vendor advisory indicates the issue is fixed in version 3.03.36.0121 and later.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to perform arbitrary database interactions through the vulnerable application logic, including reading, inserting, updating, and deleting records. In the context of an HR platform, this can result in exposure of sensitive personnel data, unauthorized modification of business records, destruction of data, and potential broader compromise of the application depending on database privileges and deployment architecture.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to '/epsilonnetws/WSAvisos.asmx' to only trusted sources, monitor for suspicious POST requests targeting that endpoint and especially the 'sEstadoUsr' parameter, and deploy WAF rules designed to detect and block SQL injection payloads. Temporary compensating controls should be treated only as interim measures until the fixed version is deployed.

Remediation

Patch, then assume compromise.

Upgrade Epsilon RH to version 3.03.36.0121 or later, which contains the vendor fix. Additionally, ensure the vulnerable code path handling the 'sEstadoUsr' parameter uses parameterized queries or prepared statements, applies strict server-side input validation, and reviews database permissions to limit the impact of injection flaws.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Oct 20, 2025

CVE-2025-41028 - SQL injection in Epsilon RH

A critical SQL injection vulnerability in Epsilon RH by Grupo Castilla, allowing remote attackers to manipulate the database (retrieve, create, update, delete) via the 'sEstadoUsr' parameter in a POST request to '/epsilonnetws/WSAvisos.asmx'.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2