CVE-2024-12146

High

Published: 06 March 2025

Published

06 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0011 29.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2024-12146 is an SQL Injection vulnerability (CWE-89) due to improper neutralization of special elements used in an SQL command. It affects Finder Fire Safety Finder ERP/CRM (New System) in versions before 18.12.2024.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, no user interaction, and without changing the scope of impact. Successful exploitation results in high confidentiality impact, potentially allowing unauthorized access to sensitive data, as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Mitigation details are available in the advisory published by USOM at https://www.usom.gov.tr/bildirim/tr-25-0060. The issue is addressed in Finder ERP/CRM (New System) version 18.12.2024 and later.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in a remotely accessible ERP/CRM web application directly enables T1190 for initial access via public-facing app exploitation and facilitates T1213.006 for unauthorized database data collection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.usom.gov.tr/bildirim/tr-25-0060
iletisim@usom.gov.tr