CVE-2019-25459

CriticalPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

02 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25459 is a critical-severity SQL Injection (CWE-89) vulnerability in Web-Ofisi Emlak. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of untrusted GET parameters like emlak_durumu before processing database queries.

SI-9 Information Input Restrictions partial match

prevent

Restricts input length, format, and content of vulnerable parameters such as il and semt to block malicious SQL payloads.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the identified SQL injection flaw to eliminate the vulnerability in the endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application directly enables T1190 (Exploit Public-Facing Application). Allows arbitrary database query manipulation for sensitive data extraction, mapping to T1213.006 (Data from Information Repositories: Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in the endpoint that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into parameters like emlak_durumu, emlak_tipi, il, ilce, kelime, and semt to extract…

sensitive database information or perform time-based blind SQL injection attacks.

Deeper analysisAI

CVE-2019-25459 involves multiple SQL injection vulnerabilities (CWE-89) in Web Ofisi Emlak V2. These flaws affect an endpoint that processes GET parameters including emlak_durumu, emlak_tipi, il, ilce, kelime, and semt, enabling attackers to inject malicious SQL code and manipulate database queries.

Unauthenticated attackers can exploit the vulnerability remotely over the network with low attack complexity and no user interaction or privileges required, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows extraction of sensitive database information or execution of time-based blind SQL injection attacks.

Advisories and proof-of-concept details are documented in references such as Exploit-DB (exploit 47142), VulnCheck advisory on the emlak-ara.html endpoint, and the vendor's page for Emlak Scripti V3. No specific patch or mitigation details are outlined in the provided information.