CVE-2024-44757 is an arbitrary file download vulnerability found in the /Basics/DownloadInpFile component of NUS-M9 ERP Management Software version 3.0.0. This vulnerability allows attackers to send specially crafted interface requests to the affected endpoint, which improperly validates or restricts file paths, enabling the download of arbitrary files from the server filesystem. The flaw does not require any authentication or user interaction, making it remotely exploitable by any attacker with network access to the ERP system. The vulnerability primarily impacts confidentiality, as attackers can access sensitive files such as configuration files, database backups, or other critical data stored on the server. The CVSS v3.1 base score of 7.5 reflects a high severity level, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high confidentiality impact (C:H) but no impact on integrity or availability (I:N/A:N). The CWE-94 tag appears to be a misclassification since CWE-94 relates to code injection, but the core issue is arbitrary file download. No patches or known exploits have been reported at the time of publication, but the vulnerability poses a significant risk if exploited. Organizations running this ERP software should conduct immediate risk assessments and apply mitigations to prevent unauthorized data disclosure.

The primary impact of CVE-2024-44757 is the unauthorized disclosure of sensitive information stored on the ERP server. Attackers can download critical files such as system configurations, user credentials, financial records, or intellectual property, which can lead to further attacks like identity theft, corporate espionage, or regulatory non-compliance. Since the vulnerability requires no authentication or user interaction, it can be exploited by remote attackers with minimal effort, increasing the risk of widespread data breaches. The lack of impact on integrity or availability means the system's operations may continue uninterrupted, potentially allowing prolonged undetected data exfiltration. Organizations relying on NUS-M9 ERP for critical business functions could face severe reputational damage, financial losses, and legal consequences if this vulnerability is exploited. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly given the straightforward nature of the flaw.

1. Immediate mitigation should include restricting network access to the /Basics/DownloadInpFile endpoint via firewall rules or network segmentation to limit exposure to trusted users only. 2. Implement strict input validation and sanitization on file path parameters to prevent traversal or arbitrary file access. 3. Apply access control checks to ensure only authorized users can request file downloads, ideally requiring authentication and role-based permissions. 4. Monitor web server logs for unusual or suspicious requests targeting the vulnerable endpoint to detect potential exploitation attempts. 5. If possible, disable or remove the vulnerable component until a vendor patch is available. 6. Engage with the software vendor for official patches or updates addressing this vulnerability and prioritize timely deployment once released. 7. Conduct regular security assessments and penetration testing on ERP systems to identify and remediate similar vulnerabilities proactively. 8. Educate system administrators on secure configuration practices and the importance of limiting file access through web interfaces.