eBrigade ERP 4.5 SQL Injection Vulnerability (CVE-2019-25707)
eBrigade ERP 4.5 is vulnerable to SQL injection via the 'id' parameter in pdf.php, allowing authenticated attackers to execute arbitrary SQL queries and extract sensitive database information.
eBrigade ERP 4.5 is susceptible to an SQL injection vulnerability (CVE-2019-25707) that enables authenticated attackers to execute arbitrary SQL queries. The vulnerability is located in the pdf.php script and is triggered via the ‘id’ parameter. By injecting malicious SQL code into this parameter through a GET request, an attacker can potentially extract sensitive information from the database, including table names and schema details. This vulnerability poses a significant risk to organizations using eBrigade ERP 4.5, as successful exploitation could lead to data breaches, compromised credentials, and other malicious activities. The vulnerability was published on 2026-04-12.
Attack Chain
- An attacker gains valid credentials for eBrigade ERP 4.5 either through credential stuffing or some other credential compromise technique.
- The attacker crafts a malicious SQL payload designed to extract sensitive information or manipulate the database.
- The attacker constructs a GET request targeting the pdf.php endpoint, embedding the malicious SQL payload within the ‘id’ parameter (e.g.,
pdf.php?id=1' UNION SELECT ...). - The server-side application fails to properly sanitize or validate the ‘id’ parameter before incorporating it into an SQL query.
- The application executes the attacker-controlled SQL query against the database.
- The database returns the results of the injected SQL query to the application.
- The application displays the extracted data to the attacker.
- The attacker uses the extracted data (database schema, usernames, passwords, etc.) to further compromise the application or gain unauthorized access to other systems.
Impact
Successful exploitation of this SQL injection vulnerability (CVE-2019-25707) can lead to the extraction of sensitive information from the eBrigade ERP 4.5 database. This could include customer data, financial records, employee information, and other confidential data. The impact could range from data breaches and financial losses to reputational damage and legal repercussions. While the exact number of victims is unknown, any organization using eBrigade ERP 4.5 is potentially at risk.
Recommendation
- Inspect web server access logs for suspicious GET requests to
pdf.phpcontaining SQL syntax in theidparameter to detect exploitation attempts using the provided Sigma rule. - Apply input validation and sanitization to the ‘id’ parameter in
pdf.phpto prevent SQL injection attacks. - Upgrade to a patched version of eBrigade ERP or apply the necessary security patches provided by the vendor to remediate CVE-2019-25707.
- Monitor network traffic for unusual database activity originating from the eBrigade ERP 4.5 server.
- Block access to the known exploit URL (
https://www.exploit-db.com/exploits/46117) at your web proxy or firewall.
Detection coverage 2
Detect SQL Injection Attempts in eBrigade ERP pdf.php
highDetects potential SQL injection attempts targeting the pdf.php endpoint in eBrigade ERP 4.5 by identifying suspicious SQL syntax within the 'id' parameter of GET requests.
Detect Error Responses After SQL Injection Attempt in eBrigade ERP pdf.php
mediumDetects potential SQL injection attempts targeting the pdf.php endpoint in eBrigade ERP 4.5 by identifying 500 errors after a request with SQL syntax.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1
4
url
| Type | Value |
|---|---|
| url | https://ebrigade.net/ |
| url | https://netcologne.dl.sourceforge.net/project/ebrigade/ebrigade/eBrigade%204.5/ebrigade_4.5.zip |
| url | https://www.exploit-db.com/exploits/46117 |
| url | https://www.vulncheck.com/advisories/ebrigade-erp-sql-injection-via-pdf-php |
| [email protected] |