CVE-2024-4995 is a vulnerability classified under CWE-757 (Selection of Less-Secure Algorithm During Negotiation) and CWE-922 (Incomplete Recovery from Failed Attempts). It affects Wapro ERP Desktop, a widely used enterprise resource planning software developed by Asseco Business Solutions S.A. The vulnerability arises from the product's handling of the Microsoft SQL Server communication protocol. Specifically, the ERP client accepts a protocol downgrade request initiated from the server side, which forces the communication to use a less secure algorithm or even unencrypted transmission. This downgrade bypasses the expected security mechanisms that ensure data confidentiality and integrity during client-server interactions. As a result, an attacker controlling or impersonating the server can intercept sensitive business data, including financial and operational information, and potentially modify it without detection. The vulnerability affects all versions before 9.00.0. The CVSS 4.0 vector indicates the attack is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), but partial attack complexity (AC:L) and partial requirement for attack timing (AT:P). The impact on confidentiality and integrity is high (VC:H, VI:H), with no impact on availability. No patches were listed at the time of publication, and no exploits have been observed in the wild. The vulnerability was reserved in May 2024 and published in December 2024 by CERT-PL.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive ERP data. Wapro ERP Desktop is used by numerous small and medium enterprises across Europe, particularly in Poland and neighboring countries where Asseco has a strong market presence. An attacker exploiting this vulnerability could intercept unencrypted data streams, leading to exposure of financial records, customer data, and internal business processes. Additionally, data modification attacks could corrupt business operations or facilitate fraud. The lack of encryption also increases the risk of man-in-the-middle (MITM) attacks, especially on networks that are not fully secured or rely on VPNs with weak configurations. This could result in regulatory non-compliance under GDPR due to inadequate protection of personal and business data. The critical severity and ease of exploitation without authentication amplify the threat, potentially leading to operational disruptions and reputational damage.

Organizations should immediately upgrade Wapro ERP Desktop to version 9.00.0 or later, where this vulnerability is addressed. Until patching is possible, network-level mitigations should be implemented, including enforcing encrypted tunnels such as IPsec or TLS VPNs between clients and servers to prevent interception of downgraded communications. Network segmentation should isolate ERP servers from untrusted networks. Monitoring for unusual SQL Server protocol downgrade attempts or unexpected unencrypted traffic can help detect exploitation attempts. Additionally, organizations should review and harden their MS SQL Server configurations to disallow fallback to insecure protocols or algorithms. Employing intrusion detection systems (IDS) with signatures for protocol downgrade attempts may provide early warning. Finally, conducting security awareness training for IT staff about this vulnerability and its risks will improve incident response readiness.