CVE-2025-12461 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting Grupo Castilla's Epsilon RH product, specifically version 3.03.36.0185. The flaw arises because the application exposes a specific URL path (‘…/epsilonnet/License/About.aspx’) without any access control mechanisms, allowing unauthenticated attackers to retrieve sensitive information about the software license and configuration, including details about installed modules. This information disclosure can facilitate further attacks by revealing the internal structure and capabilities of the deployed software. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, as reflected in its CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N). The CVSS score of 6.9 places it in the medium severity category, indicating a moderate risk primarily due to information disclosure rather than direct system compromise. No patches or exploits are currently known, but the exposure of license and configuration data can aid attackers in crafting more effective intrusion attempts or privilege escalation strategies. The vulnerability was assigned and published by INCIBE on October 29, 2025. Given the nature of the product—an HR management system—exposure of configuration details could also indirectly impact confidentiality and integrity of personnel data if leveraged in chained attacks. The lack of access control on this endpoint represents a fundamental security design flaw that should be addressed by implementing proper authentication and authorization checks. Monitoring access logs for unusual requests to this path can help detect exploitation attempts. Since the vulnerability affects a specific version of Epsilon RH, organizations should verify their software versions and apply vendor patches or mitigations once available.

For European organizations using Grupo Castilla’s Epsilon RH version 3.03.36.0185, this vulnerability poses a moderate risk by exposing sensitive license and configuration information without requiring authentication. The disclosed data can facilitate reconnaissance efforts by attackers, enabling them to identify installed modules and tailor subsequent attacks, potentially leading to privilege escalation or data breaches. While the vulnerability itself does not directly compromise confidentiality, integrity, or availability of core HR data, it lowers the barrier for attackers to exploit other weaknesses in the system. This is particularly concerning for organizations with critical HR operations or sensitive employee data, as it could be a stepping stone for more damaging attacks. The absence of known exploits reduces immediate risk, but the ease of exploitation and network accessibility mean that threat actors could develop exploits quickly. European entities relying on this software for personnel management may face increased exposure to targeted cyberattacks, especially in sectors with high regulatory compliance requirements such as finance, healthcare, and government. The vulnerability could also impact trust and compliance with data protection regulations like GDPR if exploited in a chained attack leading to personal data compromise.

Organizations should immediately audit their deployments of Grupo Castilla Epsilon RH to identify affected versions (3.03.36.0185). Until an official patch is released, implement strict network-level access controls to restrict access to the vulnerable path (‘…/epsilonnet/License/About.aspx’) using firewalls or web application firewalls (WAFs). Configure the application or underlying web server to enforce authentication and authorization checks on all sensitive endpoints, ensuring that license and configuration information is not publicly accessible. Enable detailed logging and monitoring for any access attempts to this path to detect potential reconnaissance activity. Conduct internal penetration testing to verify no other unprotected endpoints exist. Engage with Grupo Castilla support to obtain patches or updates addressing this vulnerability. Additionally, review and harden overall application security configurations, including secure coding practices and least privilege principles for internal modules. Educate IT and security teams about this vulnerability to increase awareness and readiness to respond to suspicious activity. Consider network segmentation to isolate HR management systems from broader corporate networks to limit attack surface exposure.