CVE-2025-9339

21.10.2025, 14:15

SQL injection vulnerability in the fields of warehouse document filtering form in SIMPLE.ERP software allows logged-in user a malicious query injection. Potential exploitation is limited by the 20-character limit in form fields. Identified use case allows to delete tables with a name of maximum 6 characters. We weren't able to identify a way to exfiltrate data within query character limit.

























This issue affects SIMPLE.ERP in versions before 6.30@a04.3.

SQL Injection

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
CERT-PL	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

https://cert.pl/en/posts/2025/10/CVE-2025-9339/

https://simple.com.pl/