CVE-2020-37082 – CVE-2020-37082 is an unauthenticated file acces... (How to Fix)

Q: What is the severity of CVE-2020-37082?

CVE-2020-37082 has a CVSS score of 9.8 (CRITICAL). CVE-2020-37082 is an unauthenticated file access vulnerability in webERP 4.15.1 that allows remote attackers to download database backup files without authentication. This exposes sensitive business data including customer information, financial records, and system credentials. All organizations running the vulnerable version of webERP with internet-facing instances are affected.

📋 TL;DR

CVE-2020-37082 is an unauthenticated file access vulnerability in webERP 4.15.1 that allows remote attackers to download database backup files without authentication. This exposes sensitive business data including customer information, financial records, and system credentials. All organizations running the vulnerable version of webERP with internet-facing instances are affected.

💻 Affected Systems

Products:

webERP

Versions: 4.15.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when backup files are generated in the companies/weberp/ directory.

📦 What is this software?

Weberp by Weberp

View all CVEs affecting Weberp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database exfiltration leading to data breach, credential theft, financial fraud, and potential regulatory penalties.

🟠

Likely Case

Exposure of sensitive business data including customer PII, financial records, and internal business operations.

🟢

If Mitigated

Limited impact with proper access controls, though backup files could still contain sensitive data if accessed.

🌐 Internet-Facing: HIGH - Direct unauthenticated access to database backups from internet-facing instances.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could access backups, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to access Backup_[timestamp].sql.gz files. Exploit code available on Exploit-DB.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.15.2 and later

Vendor Advisory: http://www.weberp.org

Restart Required: No

Instructions:

1. Download latest version from webERP website or SourceForge. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Verify backup directory permissions.

🔧 Temporary Workarounds

Restrict backup directory access

all

Configure web server to deny access to companies/weberp/ directory

# Apache: Add to .htaccess or virtual host config
<Directory "/path/to/companies/weberp/">
    Order deny,allow
    Deny from all
</Directory>
# Nginx: Add to server block
location ~ ^/companies/weberp/ {
    deny all;
    return 403;
}

Change backup location

all

Move backup files outside web root directory

# Edit webERP configuration to change backup path
# Look for backup configuration in config files

🧯 If You Can't Patch

Implement strict network access controls to limit webERP access to trusted IPs only
Regularly monitor and delete old backup files from companies/weberp/ directory

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[webERP-host]/companies/weberp/Backup_*.sql.gz - if accessible without authentication, system is vulnerable.

Check Version:

Check webERP version in admin interface or look for version information in source files.

Verify Fix Applied:

Verify backup files are no longer accessible via web URL and check webERP version is 4.15.2 or higher.

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses for .sql.gz files in companies/weberp/ directory
Unusual file download patterns for backup files

Network Indicators:

HTTP GET requests to /companies/weberp/Backup_*.sql.gz from unauthorized IPs

SIEM Query:

source="web_server" AND (uri_path="/companies/weberp/Backup_" AND uri_extension=".sql.gz") AND http_status=200

📊 Metadata

CVE ID: CVE-2020-37082

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-552

EPSS Score: 0.18% exploit probability (39.5th percentile)

Published: February 3, 2026

Last Updated: February 11, 2026

🔗 References

http://www.weberp.org Product
https://sourceforge.net/projects/web-erp/ Product
https://www.exploit-db.com/exploits/48420 Exploit
https://www.vulncheck.com/advisories/weberp-unauthenticated-backup-file-access Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-37082, you might also want to check these: