CVE-2024-8773 HIGH

CVE-2024-8773: Protocol Downgrade in SIMPLE.ERP

Vendor Simple Sa
Product SIMPLE.ERP
Weakness CWE-757
Published March 24, 2025
Last update March 24, 2025

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. This issue affect SIMPLE.ERP from 6.20 to 6.30. Only the 6.30 version received a patch 6.30@a03.9, which make it possible for an administrator to enforce encrypted communication. Versions 6.20 and 6.25 remain unpatched.

Key dates

02Disclosure timeline

March 24, 2025 CVE published
March 24, 2025 Record updated