CVE-2024-8997
Published: 18 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-8997 is an SQL injection vulnerability stemming from improper neutralization of special elements used in an SQL command (CWE-89). It affects the Vestel EVC04 Configuration Interface in versions prior to V3.187 and V4.53, allowing attackers to inject malicious SQL queries into the interface.
The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Remote attackers require no privileges, authentication, or user interaction and face low attack complexity over the network. Successful exploitation can result in high-impact compromise of confidentiality, integrity, and availability, potentially enabling full data exfiltration, modification, or denial of service on the affected system.
The primary advisory reference is available from USOM at https://www.usom.gov.tr/bildirim/tr-25-0070, which provides additional details relevant to mitigation strategies for this vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the public-facing Vestel EVC04 Configuration Interface allows remote unauthenticated attackers to inject malicious SQL queries, directly mapping to exploitation of a public-facing application.