CVE-2024-42677 is a vulnerability identified in Huizhi enterprise resource management system (ERP) version 1.0 and earlier. The flaw resides in the /nssys/common/filehandle.aspx component, which improperly handles requests, allowing a local attacker with limited privileges to retrieve sensitive information from the system. This vulnerability is classified under CWE-922, indicating improper access control or authorization issues. The CVSS v3.1 base score is 5.5 (medium severity), with the vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, meaning the attack requires local access, low attack complexity, and low privileges, but no user interaction. The impact is primarily on confidentiality, as the attacker can obtain sensitive data without affecting system integrity or availability. No patches or known exploits have been reported at the time of publication, suggesting the vulnerability is newly disclosed. The lack of a patch means organizations must rely on compensating controls until an official fix is released. Given the local access requirement, exploitation is limited to insiders or attackers who have already compromised a low-privilege account on the affected system.

The primary impact of CVE-2024-42677 is unauthorized disclosure of sensitive information within affected Huizhi ERP systems. This can lead to leakage of confidential business data, potentially exposing intellectual property, financial records, or personal employee information. Since the vulnerability requires local access and low privileges, the threat mainly concerns insider threats or attackers who have gained initial foothold on the network. While it does not directly affect system integrity or availability, the exposure of sensitive data can facilitate further attacks, social engineering, or compliance violations. Organizations relying on Huizhi ERP for critical business functions may face reputational damage, regulatory penalties, and operational risks if this vulnerability is exploited. The absence of known exploits reduces immediate risk, but the medium severity score indicates a need for timely mitigation to prevent escalation.

To mitigate CVE-2024-42677, organizations should first restrict local access to Huizhi ERP systems strictly to trusted personnel and enforce the principle of least privilege. Implement robust internal access controls and monitor user activities for unusual access patterns to the /nssys/common/filehandle.aspx component or related resources. Network segmentation can limit exposure by isolating ERP systems from general user environments. Until an official patch is released, consider deploying application-level controls such as web application firewalls (WAFs) to detect and block suspicious requests targeting the vulnerable endpoint. Conduct regular audits of user permissions and review logs for signs of unauthorized information access. Additionally, educate staff about insider threat risks and ensure endpoint security measures prevent unauthorized local access. Once a patch becomes available, prioritize its deployment to fully remediate the vulnerability.