CVE-2024-13147

Critical

Published: 05 March 2025

Published

05 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13147 is an SQL Injection vulnerability stemming from improper neutralization of special elements used in an SQL command (CWE-89) in the Merkur Software B2B Login Panel. This flaw affects versions of the B2B Login Panel prior to 15.01.2025.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no requirement for user interaction. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially enabling unauthorized database access, data manipulation, or disruption of services.

For mitigation guidance, refer to the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0054. Organizations should upgrade to B2B Login Panel version 15.01.2025 or later to address the issue.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL Injection in public-facing B2B Login Panel enables remote unauthenticated exploitation of the web application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.usom.gov.tr/bildirim/tr-25-0054
iletisim@usom.gov.tr