CVE-2019-25459

CriticalPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in the endpoint that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into parameters like emlak_durumu, emlak_tipi, il, ilce, kelime, and semt to extract…

sensitive database information or perform time-based blind SQL injection attacks.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of untrusted GET parameters like emlak_durumu before processing database queries.

SI-9 Information Input Restrictions partial match

prevent

Restricts input length, format, and content of vulnerable parameters such as il and semt to block malicious SQL payloads.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the identified SQL injection flaw to eliminate the vulnerability in the endpoint.

Security SummaryAI

CVE-2019-25459 involves multiple SQL injection vulnerabilities (CWE-89) in Web Ofisi Emlak V2. These flaws affect an endpoint that processes GET parameters including emlak_durumu, emlak_tipi, il, ilce, kelime, and semt, enabling attackers to inject malicious SQL code and manipulate database queries.

Unauthenticated attackers can exploit the vulnerability remotely over the network with low attack complexity and no user interaction or privileges required, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows extraction of sensitive database information or execution of time-based blind SQL injection attacks.

Advisories and proof-of-concept details are documented in references such as Exploit-DB (exploit 47142), VulnCheck advisory on the emlak-ara.html endpoint, and the vendor's page for Emlak Scripti V3. No specific patch or mitigation details are outlined in the provided information.

Details

CWE(s): CWE-89

Affected Products

web-ofisi

emlak

2.0.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application directly enables T1190 (Exploit Public-Facing Application). Allows arbitrary database query manipulation for sensitive data extraction, mapping to T1213.006 (Data from Information Repositories: Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/47142
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/web-ofisi-emlak-sql-injection-via-emlak-arahtml
Broken Link · disclosure@vulncheck.com
https://www.web-ofisi.com/detay/emlak-scripti-v3.html
Product · disclosure@vulncheck.com