Full Report
SQL Injection vulnerability (CVE-2025-9339) has been found in SIMPLE.ERP software.
Analysis Summary
# Vulnerability: SQL Injection in SIMPLE.ERP Warehouse Document Filtering
## CVE Details
- CVE ID: CVE-2025-9339
- CVSS Score: Not explicitly stated, implied Medium/High due to SQLi, assumed Moderate for summary purposes without explicit score.
- CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
## Affected Systems
- Products: SIMPLE.ERP software
- Versions: All versions prior to the version described by the placeholder `[email protected]`. (Note: The exact fixed version number is obfuscated in the source material but implies all versions before the patch release).
- Configurations: Affects fields within the warehouse document filtering form, requires a logged-in user.
## Vulnerability Description
This is an SQL Injection vulnerability present in the input fields used for filtering warehouse documents within the SIMPLE.ERP software. A logged-in, authenticated user can inject malicious SQL queries. The maximum length for these input fields is limited to 20 characters, which restricts the complexity of the injected query. A confirmed use case demonstrated the ability to delete database tables whose names consist of a maximum of 6 characters.
## Exploitation
- Status: PoC available (Demonstrated ability to delete small tables)
- Complexity: Low (Requires user authentication)
- Attack Vector: Adjacent (Requires network access to the application interface after authentication)
## Impact
- Confidentiality: Potential (Limited by 20-character payload, ability to exfiltrate data not identified)
- Integrity: High (Confirmed ability to execute destructive commands, e.g., table deletion)
- Availability: Medium (Potential for denial of service via table deletion)
## Remediation
### Patches
- Vendor (Simple SA) has released a patch addressing this vulnerability. Customers must update to versions *after* the version designated by `[email protected]` (The specific fixed version number must be obtained from the vendor).
### Workarounds
- No specific vendor workarounds were disclosed in the provided text.
- **Mitigation Suggestion:** Limit the privileges of authenticated users, especially those who only require document viewing to reduce the potential blast radius of successful injection.
## Detection
- **Indicators of Compromise:** Monitoring database logs for unusually short, anomalous, or non-standard SQL queries originating from the application's user context, particularly those attempting DDL operations (like `DROP TABLE`).
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) configured to inspect POST/GET parameters for common SQL boilerplate characters (`'`, `--`, `;`, etc.) might catch attempts before they reach the application, although the 20-character limit makes signature matching difficult. Focus on application-level access logging.
## References
- Vendor advisories: Contact Simple SA directly for definitive patch versions.
- Relevant links - defanged:
- hxxps://www.cve.org/CVERecord?id=CVE-2025-9339
- hxxps://cert.pl/en/cvd/