CVE-2025-41028 is a critical SQL Injection vulnerability identified in the Epsilon RH product by Grupo Castilla, specifically affecting version 3.03.36.0121. The flaw resides in the improper neutralization of special elements within the 'sEstadoUsr' parameter of the '/epsilonnetws/WSAvisos.asmx' web service endpoint. An attacker can send crafted POST requests to this endpoint without authentication or user interaction, enabling them to execute arbitrary SQL commands against the backend database. This allows unauthorized retrieval, creation, modification, or deletion of database records, potentially compromising sensitive HR data such as employee records, payroll information, and other confidential organizational data. The vulnerability is scored 9.3 on the CVSS 4.0 scale, reflecting its critical nature with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation and critical impact make it a high-risk threat. The vulnerability was reserved in April 2025 and published in October 2025, with INCIBE as the assigner. No patches are currently linked, indicating that organizations must implement interim mitigations while awaiting official fixes. The vulnerability falls under CWE-89, a well-known category of SQL Injection flaws caused by improper input sanitization. Given the nature of HR systems, exploitation could lead to severe privacy violations and operational disruptions.

For European organizations, the impact of CVE-2025-41028 is substantial. HR systems typically store highly sensitive personal data protected under GDPR, including employee identities, contracts, salaries, and performance records. Exploitation could lead to unauthorized data disclosure, violating privacy regulations and resulting in legal penalties and reputational damage. Data integrity could be compromised, allowing attackers to alter or delete records, disrupting HR operations such as payroll processing and compliance reporting. Availability may also be affected if attackers delete or corrupt database contents, causing downtime and operational delays. The lack of authentication and user interaction requirements means attackers can remotely exploit the vulnerability at scale, increasing the risk of widespread attacks. European organizations relying on Grupo Castilla's Epsilon RH software, especially in sectors with strict data protection requirements like finance, healthcare, and government, are at elevated risk. The critical severity and network accessibility make this vulnerability a prime target for threat actors aiming to conduct espionage, sabotage, or ransomware attacks leveraging compromised HR data.

1. Immediate Actions: Implement network-level controls such as web application firewalls (WAFs) to detect and block malicious SQL injection payloads targeting the 'sEstadoUsr' parameter. 2. Input Validation: Apply strict server-side input validation and sanitization for all parameters, especially 'sEstadoUsr', to neutralize special SQL characters and prevent injection. 3. Principle of Least Privilege: Restrict database user permissions used by the Epsilon RH application to only necessary operations, minimizing potential damage from exploitation. 4. Monitoring and Logging: Enable detailed logging of web service requests and database queries to detect anomalous activities indicative of SQL injection attempts. 5. Patch Management: Monitor Grupo Castilla advisories closely and apply official patches or updates as soon as they become available. 6. Segmentation: Isolate HR systems from general corporate networks to limit attacker lateral movement in case of compromise. 7. Incident Response: Prepare and test incident response plans specific to data breaches involving HR systems, including GDPR notification requirements. 8. Vendor Engagement: Engage with Grupo Castilla for timelines on patch releases and request guidance on interim mitigations. These steps go beyond generic advice by focusing on immediate protective controls, minimizing attack surface, and ensuring regulatory compliance.