Cyber Posture

CVE-2024-9149

High

Published: 04 March 2025

Published
04 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0007 22.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-9149 is an SQL Injection vulnerability (CWE-89) stemming from improper neutralization of special elements in SQL commands within the Wind Media E-Commerce Website Template. This flaw affects all versions prior to v1.5 and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

Remote attackers without authentication can exploit the vulnerability by injecting malicious SQL payloads into affected inputs, potentially extracting sensitive data (high confidentiality impact), making limited modifications (low integrity impact), or causing partial denial of service (low availability impact). The unchanged scope suggests exploitation remains confined to the vulnerable component.

The Turkish National Cyber Incident Response Center (USOM) advisory at https://www.usom.gov.tr/bildirim/tr-25-0051 provides further details; mitigation requires upgrading to E-Commerce Website Template v1.5 or later to address the injection flaw.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL Injection vulnerability in public-facing web application directly enables T1190 Exploit Public-Facing Application for remote unauthenticated initial access and data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References