Cyber Resilience

CVE-2019-25459

HighPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25459 is a high-severity SQL Injection (CWE-89) vulnerability in Web-Ofisi Emlak. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25459 involves multiple SQL injection vulnerabilities (CWE-89) in Web Ofisi Emlak V2. These flaws affect an endpoint that processes GET parameters including emlak_durumu, emlak_tipi, il, ilce, kelime, and semt, enabling attackers to inject malicious SQL code and manipulate database queries.

Unauthenticated attackers can exploit the vulnerability remotely over the network with low attack complexity and no user interaction or privileges required, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows extraction of sensitive database information or execution of time-based blind SQL injection attacks.

Advisories and proof-of-concept details are documented in references such as Exploit-DB (exploit 47142), VulnCheck advisory on the emlak-ara.html endpoint, and the vendor's page for Emlak Scripti V3. No specific patch or mitigation details are outlined in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in the endpoint that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into parameters like emlak_durumu, emlak_tipi, il, ilce, kelime, and semt to extract…

more

sensitive database information or perform time-based blind SQL injection attacks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web application directly enables T1190 (Exploit Public-Facing Application). Allows arbitrary database query manipulation for sensitive data extraction, mapping to T1213.006 (Data from Information Repositories: Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25456Same product: Web-Ofisi Emlak
CVE-2019-25460Same vendor: Web-Ofisi
CVE-2019-25461Same vendor: Web-Ofisi
CVE-2019-25457Same vendor: Web-Ofisi
CVE-2019-25455Same vendor: Web-Ofisi
CVE-2019-25458Same vendor: Web-Ofisi
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89

Affected Assets

web-ofisi
emlak
2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of untrusted GET parameters like emlak_durumu before processing database queries.

prevent

Restricts input length, format, and content of vulnerable parameters such as il and semt to block malicious SQL payloads.

prevent

Requires timely remediation of the identified SQL injection flaw to eliminate the vulnerability in the endpoint.

References