CVE-2025-9619 is a medium-severity vulnerability affecting E4 Sistemas Mercatus ERP version 2.00.019. The flaw arises from improper control of resource identifiers within an unspecified function located at the path /basico/webservice/imprimir-danfe/id/. This vulnerability allows an unauthenticated remote attacker to manipulate resource identifiers, potentially leading to unauthorized access or manipulation of resources within the ERP system. The vulnerability does not require any user interaction or privileges, and can be exploited over the network, increasing its risk profile. The CVSS 4.0 base score is 6.9, reflecting a medium severity primarily due to the lack of authentication and ease of remote exploitation, but limited impact on confidentiality, integrity, or availability (only a low impact on confidentiality). The vendor, E4 Sistemas, has not responded to disclosure attempts, and no patches or mitigations have been published yet. No known exploits are currently active in the wild. The vulnerability likely stems from insufficient validation or authorization checks on resource identifiers, which could allow attackers to access or manipulate documents or data related to the ERP’s document printing web service (imprimir-danfe).

For European organizations using Mercatus ERP 2.00.019, this vulnerability poses a risk of unauthorized access to sensitive business documents or data managed by the ERP system, particularly those related to invoicing or fiscal documents (as implied by 'danfe', a Brazilian electronic invoice document). Although the impact on confidentiality is rated low, unauthorized access could lead to exposure of sensitive financial or operational data, potentially facilitating fraud or data leakage. The lack of integrity and availability impact reduces the risk of system disruption, but data exposure alone can have regulatory and reputational consequences under GDPR and other European data protection laws. Since the vulnerability is remotely exploitable without authentication, attackers could leverage it to gain footholds or gather intelligence on business operations. The absence of vendor response and patches increases the window of exposure, necessitating proactive mitigation by affected organizations. The threat is more acute for companies with ERP deployments accessible from external networks or insufficiently segmented internal networks.

Given the lack of official patches, European organizations should implement compensating controls immediately. These include restricting network access to the affected ERP web service endpoints via firewalls or network segmentation, allowing only trusted internal IP ranges to communicate with /basico/webservice/imprimir-danfe/id/. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious manipulation of resource identifiers targeting this endpoint. Conduct thorough access control reviews to ensure that ERP users have minimal necessary privileges and monitor logs for anomalous access patterns related to the printing service. If possible, disable or restrict the vulnerable web service functionality until a vendor patch is available. Organizations should also engage with E4 Sistemas for updates and monitor threat intelligence feeds for emerging exploits. Regular backups and incident response readiness are advisable to mitigate potential exploitation consequences.