The WebErpMesv2 system exposes a number of API endpoints without any authentication middleware, allowing an unauthenticated remote attacker to retrieve sensitive business data such as company profiles, quotes, orders, tasks, and collaboration whiteboards. In addition, the system permits limited write operations that enable the creation of new company records and full manipulation of collaboration whiteboards. This lack of authentication constitutes a significant confidentiality and integrity breach, giving a malicious actor broad visibility and control over critical operational data.

The vulnerability affects the SMEWebify WebErpMesv2 application in all releases prior to version 1.19. No specific patch level is provided beyond the recommendation to upgrade to 1.19 or later. The vendor product is identified as WebErpMesv2 and the affected vendor is SMEWebify.

The CVSS score of 8.2 indicates high severity. An EPSS score of less than 1% suggests that the likelihood of active exploitation in the field is currently low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote over the network, as the exposed API endpoints are reachable without authentication. An attacker can trigger the exploit by sending HTTP requests to any of the vulnerable endpoints, resulting in data disclosure or state modification. Although no publicly documented exploits exist, the high impact warrants immediate attention.