Skip to main content
CVE Vulnerability Database

CVE-2025-9619: Mercatus ERP RCE Vulnerability

CVE-2025-9619 is a remote code execution vulnerability in E4 Sistemas Mercatus ERP 2.00.019 affecting the webservice imprimir-danfe file. Attackers can exploit improper resource identifier control remotely. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2025-9619 Overview

CVE-2025-9619 affects E4 Sistemas Mercatus ERP version 2.00.019. The vulnerability resides in an unknown function within the /basico/webservice/imprimir-danfe/id/ endpoint. Attackers can manipulate a resource identifier parameter to trigger improper control of resource identifiers, categorized under [CWE-99]. The flaw is exploitable remotely over the network without authentication or user interaction. The vendor was contacted before public disclosure but did not respond. No official patch is currently referenced in vendor advisories.

Critical Impact

Remote, unauthenticated attackers can abuse the DANFE printing web service endpoint to access or manipulate resources through identifier tampering, impacting confidentiality of ERP data.

Affected Products

  • E4 Sistemas Mercatus ERP 2.00.019
  • Component: /basico/webservice/imprimir-danfe/id/ web service endpoint
  • Deployments exposing the ERP web service to untrusted networks

Discovery Timeline

  • 2025-08-29 - CVE-2025-9619 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-9619

Vulnerability Analysis

The vulnerability is classified under [CWE-99] Improper Control of Resource Identifiers, also known as Resource Injection. The affected endpoint /basico/webservice/imprimir-danfe/id/ handles requests to print DANFE documents, which are Brazilian electronic invoice auxiliary documents used in ERP workflows. An attacker submits a crafted id value to the endpoint. The application uses that input to select or reference a backend resource without adequate validation or authorization checks. The EPSS score is 0.347% at the 26.833 percentile, indicating limited observed exploitation activity at this time.

Root Cause

The root cause is insufficient validation of the resource identifier passed through the URL path segment following /id/. The application maps user-supplied input directly to internal resource lookups. This allows attackers to request identifiers they should not be authorized to access.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends HTTP requests to the vulnerable endpoint with manipulated identifier values. Because the endpoint is a web service, automated tools can enumerate identifiers at scale. Public exploit code has not been confirmed available, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-9619

Indicators of Compromise

  • HTTP requests to /basico/webservice/imprimir-danfe/id/ with sequential, incremented, or otherwise anomalous identifier values
  • High request volume to the DANFE print endpoint from a single source address
  • Requests to the endpoint originating from IP ranges outside the expected user base
  • Anomalous access patterns from unauthenticated sessions to the web service path

Detection Strategies

  • Deploy web application firewall (WAF) rules that log and rate-limit requests to /basico/webservice/imprimir-danfe/id/
  • Correlate application logs against user session context to flag identifier access outside a user's authorization scope
  • Alert on enumeration patterns where identifier values increment or vary systematically across short time windows

Monitoring Recommendations

  • Ingest ERP web server access logs into a centralized SIEM for continuous review
  • Track baseline request rates to the DANFE endpoint and alert on deviations
  • Monitor for unauthenticated or anomalous source IP traffic reaching internal ERP web services

How to Mitigate CVE-2025-9619

Immediate Actions Required

  • Restrict network access to the E4 Sistemas Mercatus ERP web service to trusted internal networks and VPN users only
  • Place the ERP application behind a WAF with rules that validate the format and ownership context of the id parameter
  • Enforce authentication and session-based authorization checks on the /basico/webservice/imprimir-danfe/id/ endpoint at the reverse proxy layer
  • Review historical access logs for evidence of prior identifier enumeration or unauthorized document retrieval

Patch Information

As of the last NVD update on 2026-06-17, no official patch or vendor advisory has been published by E4 Sistemas. The vendor did not respond to disclosure attempts. Users should monitor the VulDB entry #321790 and the VulDB submission record for updates.

Workarounds

  • Block external access to the /basico/webservice/imprimir-danfe/ path at the perimeter until a vendor fix is available
  • Add reverse proxy authorization rules that validate the requesting user owns the referenced DANFE identifier
  • Implement input validation at a proxy layer to reject requests where the id value does not match expected format constraints
  • Log every access to the endpoint and review daily for suspicious identifier access patterns
bash
# Example nginx reverse proxy rule restricting the vulnerable endpoint to authenticated internal users
location /basico/webservice/imprimir-danfe/ {
    allow 10.0.0.0/8;
    deny all;
    auth_request /auth-validate;
    limit_req zone=danfe burst=5 nodelay;
    proxy_pass http://mercatus-erp-backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.