CVE-2024-12016
Published: 20 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2024-12016 is an SQL Injection vulnerability (CWE-89) in CM Informatics' CM News application. The flaw arises from improper neutralization of special elements used in an SQL command, affecting all versions of CM News through 6.0. Published on March 20, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. Successful exploitation enables high-impact violations of confidentiality, integrity, and availability, such as unauthorized data extraction, modification, or deletion from the underlying database.
The sole advisory reference from USOM (https://www.usom.gov.tr/bildirim/tr-25-0072) aligns with vendor confirmation that CM News is no longer supported, indicating no patches or official mitigations are available. Organizations should decommission affected instances and migrate to supported alternatives to reduce exposure.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in remotely accessible web app directly enables T1190 for unauthenticated exploitation; facilitates database data extraction via T1213.006 and stored data manipulation (including modification/deletion) via T1565.001.