CVE-2025-9619 Overview
CVE-2025-9619 affects E4 Sistemas Mercatus ERP version 2.00.019. The vulnerability resides in an unknown function within the /basico/webservice/imprimir-danfe/id/ endpoint. Attackers can manipulate a resource identifier parameter to trigger improper control of resource identifiers, categorized under [CWE-99]. The flaw is exploitable remotely over the network without authentication or user interaction. The vendor was contacted before public disclosure but did not respond. No official patch is currently referenced in vendor advisories.
Critical Impact
Remote, unauthenticated attackers can abuse the DANFE printing web service endpoint to access or manipulate resources through identifier tampering, impacting confidentiality of ERP data.
Affected Products
- E4 Sistemas Mercatus ERP 2.00.019
- Component: /basico/webservice/imprimir-danfe/id/ web service endpoint
- Deployments exposing the ERP web service to untrusted networks
Discovery Timeline
- 2025-08-29 - CVE-2025-9619 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9619
Vulnerability Analysis
The vulnerability is classified under [CWE-99] Improper Control of Resource Identifiers, also known as Resource Injection. The affected endpoint /basico/webservice/imprimir-danfe/id/ handles requests to print DANFE documents, which are Brazilian electronic invoice auxiliary documents used in ERP workflows. An attacker submits a crafted id value to the endpoint. The application uses that input to select or reference a backend resource without adequate validation or authorization checks. The EPSS score is 0.347% at the 26.833 percentile, indicating limited observed exploitation activity at this time.
Root Cause
The root cause is insufficient validation of the resource identifier passed through the URL path segment following /id/. The application maps user-supplied input directly to internal resource lookups. This allows attackers to request identifiers they should not be authorized to access.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends HTTP requests to the vulnerable endpoint with manipulated identifier values. Because the endpoint is a web service, automated tools can enumerate identifiers at scale. Public exploit code has not been confirmed available, and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-9619
Indicators of Compromise
- HTTP requests to /basico/webservice/imprimir-danfe/id/ with sequential, incremented, or otherwise anomalous identifier values
- High request volume to the DANFE print endpoint from a single source address
- Requests to the endpoint originating from IP ranges outside the expected user base
- Anomalous access patterns from unauthenticated sessions to the web service path
Detection Strategies
- Deploy web application firewall (WAF) rules that log and rate-limit requests to /basico/webservice/imprimir-danfe/id/
- Correlate application logs against user session context to flag identifier access outside a user's authorization scope
- Alert on enumeration patterns where identifier values increment or vary systematically across short time windows
Monitoring Recommendations
- Ingest ERP web server access logs into a centralized SIEM for continuous review
- Track baseline request rates to the DANFE endpoint and alert on deviations
- Monitor for unauthenticated or anomalous source IP traffic reaching internal ERP web services
How to Mitigate CVE-2025-9619
Immediate Actions Required
- Restrict network access to the E4 Sistemas Mercatus ERP web service to trusted internal networks and VPN users only
- Place the ERP application behind a WAF with rules that validate the format and ownership context of the id parameter
- Enforce authentication and session-based authorization checks on the /basico/webservice/imprimir-danfe/id/ endpoint at the reverse proxy layer
- Review historical access logs for evidence of prior identifier enumeration or unauthorized document retrieval
Patch Information
As of the last NVD update on 2026-06-17, no official patch or vendor advisory has been published by E4 Sistemas. The vendor did not respond to disclosure attempts. Users should monitor the VulDB entry #321790 and the VulDB submission record for updates.
Workarounds
- Block external access to the /basico/webservice/imprimir-danfe/ path at the perimeter until a vendor fix is available
- Add reverse proxy authorization rules that validate the requesting user owns the referenced DANFE identifier
- Implement input validation at a proxy layer to reject requests where the id value does not match expected format constraints
- Log every access to the endpoint and review daily for suspicious identifier access patterns
# Example nginx reverse proxy rule restricting the vulnerable endpoint to authenticated internal users
location /basico/webservice/imprimir-danfe/ {
allow 10.0.0.0/8;
deny all;
auth_request /auth-validate;
limit_req zone=danfe burst=5 nodelay;
proxy_pass http://mercatus-erp-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

