CVE-2025-4530 is a path traversal vulnerability identified in the ssm-erp software products distributed under the names feng_ha_ha/megagao ssm-erp and production_ssm version 1.0. The vulnerability resides in the handleFileDownload function within the FileController.java source file, part of the File Handler component. Path traversal vulnerabilities allow an attacker to manipulate file path inputs to access files and directories outside the intended scope, potentially exposing sensitive system files or application data. This vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The CVSS 4.0 score of 5.3 classifies it as medium severity, reflecting moderate impact and ease of exploitation. The vulnerability affects confidentiality to a limited extent (VC:L) but does not impact integrity or availability. Although no public exploits are currently known in the wild, the exploit details have been disclosed publicly, increasing the risk of exploitation. The product is distributed under two different names, which may complicate detection and patch management. No patches or fixes have been linked or published yet, indicating that affected organizations may still be vulnerable. The vulnerability's presence in an ERP system is significant because ERP platforms often contain sensitive business data and are critical to organizational operations.

For European organizations using the affected ssm-erp 1.0 versions, this vulnerability poses a risk of unauthorized access to sensitive files stored on the ERP server. Attackers exploiting the path traversal flaw could retrieve configuration files, credentials, or proprietary business data, potentially leading to data breaches or facilitating further attacks. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach could have regulatory implications under GDPR, especially if personal or sensitive data is exposed. The remote and unauthenticated nature of the exploit increases the threat level, as attackers can attempt exploitation without insider access. Given that ERP systems are often integrated with multiple business processes, any compromise could disrupt workflows or erode trust in the system's security. The lack of available patches means organizations must rely on mitigations to reduce exposure until official fixes are released.

European organizations should immediately conduct an inventory to identify any deployments of feng_ha_ha/megagao ssm-erp or production_ssm version 1.0. Until patches are available, organizations should implement strict input validation and sanitization on the handleFileDownload function to prevent path traversal characters such as '../' sequences. Network-level controls such as web application firewalls (WAFs) should be configured to detect and block suspicious path traversal attempts targeting the ERP system. Access to the ERP server should be restricted using network segmentation and IP whitelisting to limit exposure to trusted sources only. Monitoring and logging of file access requests should be enhanced to detect anomalous activity indicative of exploitation attempts. Organizations should engage with the vendor or community for updates on patches and apply them promptly once released. Additionally, conducting penetration testing focused on path traversal vectors can help verify the effectiveness of mitigations.