CVE-2024-44759 is an arbitrary file download vulnerability identified in the /Doc/DownloadFile component of the NUS-M9 ERP Management Software version 3.0.0. This vulnerability allows remote attackers to download arbitrary files from the server by crafting specific interface requests without requiring authentication or user interaction. The vulnerability stems from insufficient validation or sanitization of input parameters controlling file paths, enabling attackers to traverse directories and access sensitive files outside the intended scope. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality, as attackers can access sensitive information stored on the server, but does not affect integrity or availability. No patches or fixes have been published yet, and no known exploits are reported in the wild. The vulnerability is categorized under CWE-78, indicating improper neutralization of special elements used in OS commands, which aligns with the arbitrary file download nature. Given that ERP systems often contain critical business data, this vulnerability poses a significant risk if exploited.

The primary impact of CVE-2024-44759 is the unauthorized disclosure of sensitive information due to arbitrary file downloads. Attackers can access confidential business documents, configuration files, credentials, or other sensitive data stored on the ERP server. This can lead to data breaches, intellectual property theft, and exposure of personally identifiable information (PII). Since the vulnerability does not require authentication, any remote attacker can exploit it, increasing the attack surface. Although it does not directly affect system integrity or availability, the exposure of sensitive data can facilitate further attacks, including social engineering, privilege escalation, or lateral movement within the network. Organizations relying on NUS-M9 ERP for critical business operations may face regulatory compliance issues and reputational damage if exploited. The lack of known exploits currently provides a window for proactive mitigation, but the risk remains high given the ease of exploitation and potential data sensitivity.

To mitigate CVE-2024-44759, organizations should immediately restrict access to the /Doc/DownloadFile endpoint by implementing network-level controls such as IP whitelisting or VPN-only access. Input validation must be enforced to sanitize and validate file path parameters rigorously, ensuring no directory traversal or unauthorized file access is possible. If source code access is available, developers should implement allowlists for downloadable files and reject any requests containing suspicious path characters (e.g., ../). Monitoring and logging access to this endpoint should be enhanced to detect anomalous or suspicious requests. Until an official patch is released, consider deploying web application firewalls (WAFs) with custom rules to block exploitation attempts targeting this vulnerability. Regularly review and update ERP software to the latest versions and subscribe to vendor security advisories for timely patches. Conduct security awareness training for IT staff to recognize and respond to potential exploitation attempts. Lastly, perform periodic security assessments and penetration testing focused on file handling components within the ERP system.