CVE-2025-9619
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-29

Last updated on: 2025-08-29

Assigner: VulDB

Description
A security flaw has been discovered in E4 Sistemas Mercatus ERP 2.00.019. The affected element is an unknown function of the file /basico/webservice/imprimir-danfe/id/. Performing manipulation results in improper control of resource identifiers. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-29
Last Modified
2025-08-29
Generated
2026-06-16
AI Q&A
2025-08-29
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9619
EUVD
EUVD-2025-26164
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
e4sistemas mercatus_erp 2.00.019
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-99 The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

There are no known countermeasures or mitigations currently available from the vendor. Immediate steps include considering replacing the affected product or component. Additionally, restricting access to the vulnerable endpoint through network controls or web application firewalls may help reduce exposure until a fix or patch is available. [2]

Executive Summary

CVE-2025-9619 is an Insecure Direct Object Reference (IDOR) vulnerability in E4 Sistemas Mercatus ERP version 2.00.019. It occurs in the purchase invoice generation functionality at the endpoint /basico/webservice/imprimir-danfe/id/{invoice_id}. By manipulating the invoice ID parameter in the URL, an attacker can access purchase invoices belonging to other users without proper authorization, leading to unauthorized disclosure of sensitive invoice data. The vulnerability arises due to improper control of resource identifiers and insufficient input validation, allowing remote exploitation without authentication. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized remote attackers to access sensitive purchase invoice data of other users within the ERP system. This compromises the confidentiality of your financial and transactional information. Since exploitation requires no authentication and is considered easy, it poses a moderate security risk. There are currently no known mitigations or vendor responses, so the affected system remains vulnerable to data leakage and potential misuse of confidential information. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the endpoint https://expressfoods.mercatus.net.br/basico/webservice/imprimir-danfe/id/{invoice_id} for Insecure Direct Object Reference (IDOR) issues. You can try manipulating the invoice_id parameter in the URL to see if you can access invoices belonging to other users without authorization. For example, using curl commands to request different invoice IDs and checking if unauthorized data is returned. Example command: curl -i https://expressfoods.mercatus.net.br/basico/webservice/imprimir-danfe/id/1957650 and then curl -i https://expressfoods.mercatus.net.br/basico/webservice/imprimir-danfe/id/1957651 to compare responses. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9619. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart