CVE-2025-9339

Summary

SQL injection vulnerability in the fields of warehouse document filtering form in SIMPLE.ERP software allows logged-in user a malicious query injection. Potential exploitation is limited by the 20-character limit in form fields. Identified use case allows to delete tables with a name of maximum 6 characters. We weren't able to identify a way to exfiltrate data within query character limit.

This issue affects SIMPLE.ERP in versions before 6.30@a04.3.

Affected Software

VendorProductVersion RangeStatus
Simple SASIMPLE.ERP0 < 6.30@a04.3affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References