A critical vulnerability, identified as CVE-2024-13150, has been discovered in the Fayton Software and Consulting Services fayton.Pro ERP application. This flaw, a type of SQL Injection, could allow a remote, unauthenticated attacker to take complete control of the application's database. Successful exploitation could lead to a severe data breach, data manipulation, or complete loss of business-critical information stored within the ERP system.

This vulnerability is an Improper Neutralization of Special Elements used in an SQL Command, commonly known as SQL Injection. The fayton.Pro ERP application fails to properly sanitize user-supplied input before using it in database queries. An attacker can exploit this by crafting special input that includes malicious SQL commands, which are then executed by the back-end database with the same privileges as the application. This could allow an attacker to bypass authentication controls, read, modify, or delete any data in the database, and potentially execute commands on the underlying database server.

Business Impact This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a devastating impact on the business. An attacker could exfiltrate sensitive corporate data, including financial records, employee information, customer lists, and proprietary trade secrets, leading to significant regulatory fines and reputational damage. The ability to modify or delete data could compromise business operations, disrupt supply chains, and corrupt financial reporting. A full compromise of the database server could also serve as a pivot point for further attacks into the corporate network.

Immediate Action: Update Improper Neutralization of Special Elements used in an SQL Command Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.

Proactive Monitoring: Implement enhanced monitoring of application and database server logs. Specifically, look for unusual or malformed SQL queries, a sudden increase in database error messages, or queries containing keywords like UNION, SELECT, --, ' or ; in unexpected input fields. Monitor network traffic for anomalous data flows from the database server.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attack patterns. Restrict network access to the application and database servers to only known, trusted IP addresses. Ensure the application's database service account is configured with the principle of least privilege, limiting its ability to alter database structure or access the underlying operating system.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations using the affected Fayton Software and Consulting Services fayton.Pro ERP product prioritize the immediate application of the vendor-supplied security patch. The potential for a complete compromise of sensitive business data is extremely high. While it is not yet listed on the CISA KEV, its severity makes it a prime target for future exploitation, and it should be treated with the highest urgency.