MS SQL Protocol Downgrade Vulnerability in SIMPLE.ERP from SIMPLE
CVE-2024-8773

8.3HIGH

Key Information:

Vendor: Simple Sa
Status: Simple.erp
Vendor: CVE Published:; 24 March 2025

What is CVE-2024-8773?

The SIMPLE.ERP client is susceptible to a vulnerability that allows a downgrade in the MS SQL protocol when triggered by a server request. This could result in unencrypted communication, making the system vulnerable to potential data interception and modification by malicious actors. The issue affects versions 6.20 to 6.30, with only 6.30 receiving a patch that enables administrators to enforce encrypted communications. Notably, versions 6.20 and 6.25 remain unpatched, leaving them exposed.

Affected Version(s)

SIMPLE.ERP 6.20 < 6.30@a03.9

References

https://cert.pl/en/posts/2025/03/CVE-2024-8773/

third-party-advisory

https://cert.pl/posts/2025/03/CVE-2024-8773/

third-party-advisory

https://simple.com.pl/produkty/simple-erp/dla-kogo/

product

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2025
Vulnerability Reserved
Sep 13, 2024

Credit

dr inż. Marcin Ochab

CVE-2024-8773 Data

JSON