CVE-2026-2864 is a path traversal vulnerability identified in the ssm-erp software developed by feng_ha_ha, specifically within the pictureDelete function of the PictureController.java file. The vulnerability arises from improper sanitization of the picName parameter, which an attacker can manipulate to traverse directories outside the intended file path. This can lead to unauthorized deletion of arbitrary files on the server hosting the ERP system. The vulnerability can be exploited remotely without user interaction, but requires low-level privileges on the system. The product is distributed under two different names and lacks versioning, making it difficult to determine the full scope of affected versions. The vendor was notified early but has not issued a patch or response. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no user interaction, and limited impact on confidentiality, integrity, and availability. While no known exploits are currently active in the wild, the public disclosure of the exploit code increases the likelihood of exploitation attempts. The vulnerability could allow attackers to delete critical files, potentially disrupting ERP operations and causing data loss or service outages.

The path traversal vulnerability in ssm-erp can have significant impacts on organizations relying on this ERP system. Unauthorized deletion of files can lead to loss of critical business data, disruption of ERP functionality, and potential downtime affecting business operations. Since ERP systems often manage sensitive financial, inventory, and personnel data, integrity and availability impacts could cascade into operational and compliance risks. Attackers exploiting this vulnerability remotely can cause damage without requiring user interaction, increasing the risk of automated or widespread attacks. The lack of vendor response and absence of patches further exacerbate the risk, leaving organizations exposed. Additionally, the inability to easily identify affected versions complicates incident response and remediation efforts. Organizations may face increased costs related to recovery, forensic analysis, and potential regulatory penalties if sensitive data is affected.

To mitigate CVE-2026-2864, organizations should implement multiple layers of defense: 1) Apply strict input validation and sanitization on the picName parameter to prevent directory traversal sequences (e.g., ../) from being processed. 2) Enforce the principle of least privilege by restricting file system permissions for the ERP application user, ensuring it cannot delete or modify files outside designated directories. 3) Implement application-level allowlisting for file operations to restrict deletions to known safe paths. 4) Monitor logs and file system activity for unusual deletion patterns or access attempts indicative of exploitation. 5) If possible, isolate the ERP application in a sandboxed environment or container to limit the blast radius of any successful attack. 6) Engage with the vendor or community to track patch releases or updates addressing this vulnerability. 7) As a temporary measure, consider disabling or restricting access to the pictureDelete function if it is not essential. 8) Conduct regular backups of ERP data and configuration files to enable recovery in case of file deletion. 9) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attack patterns targeting picName parameters.