CVE-2025-41028 is a critical SQL Injection vulnerability identified in Grupo Castilla's Epsilon RH product, specifically version 3.03.36.010. The flaw resides in the handling of the 'sEstadoUsr' parameter within the /epsilonnetws/WSAvisos.asmx web service endpoint. An attacker can send a crafted POST request with malicious SQL code embedded in this parameter, which the backend database executes without proper sanitization or neutralization of special SQL elements. This improper input validation (CWE-89) allows attackers to perform unauthorized actions on the database, including reading sensitive data, inserting new records, updating existing data, or deleting records. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network (AV:N/AC:L/AT:N/PR:N/UI:N). The CVSS 4.0 base score of 9.3 reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability of data. Although no known exploits are currently in the wild, the vulnerability's characteristics make it a prime target for attackers seeking to compromise HR systems. The lack of available patches at the time of publication increases the urgency for organizations to implement interim mitigations such as input validation and web application firewalls. The vulnerability was reserved in April 2025 and published in October 2025, indicating recent discovery and disclosure.

For European organizations, the impact of CVE-2025-41028 is significant due to the sensitive nature of HR data managed by Epsilon RH, including personal employee information, payroll data, and organizational records. Successful exploitation can lead to data breaches exposing confidential employee details, potential identity theft, and compliance violations under GDPR. Additionally, attackers could manipulate or delete HR data, disrupting business operations and payroll processing, potentially causing financial and reputational damage. The vulnerability's remote and unauthenticated exploitability increases the risk of widespread attacks, especially in organizations with internet-facing HR systems. The critical severity and high CVSS score indicate that exploitation could result in full compromise of the affected database, impacting confidentiality, integrity, and availability simultaneously. European companies relying on Grupo Castilla's Epsilon RH without immediate remediation face elevated risks of targeted attacks, data loss, and regulatory penalties.

1. Immediate application of vendor patches once available is the most effective mitigation. Monitor Grupo Castilla advisories for updates. 2. Until patches are released, implement strict input validation on the 'sEstadoUsr' parameter to reject or sanitize any SQL control characters or suspicious payloads. 3. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the /epsilonnetws/WSAvisos.asmx endpoint. 4. Restrict network access to the vulnerable endpoint by limiting exposure to trusted internal networks or VPNs only. 5. Conduct thorough security audits and penetration testing focused on web services and API endpoints to identify similar injection flaws. 6. Monitor logs for unusual POST requests or database errors indicative of exploitation attempts. 7. Educate development and security teams on secure coding practices to prevent SQL injection vulnerabilities in future releases. 8. Consider database-level protections such as least privilege for application accounts and query parameterization to reduce impact if exploitation occurs.