Cyber Resilience

CVE-2024-12016

CriticalUpdated

Published: 20 March 2025

Published
20 March 2025
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12016 is a critical-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12016 is an SQL Injection vulnerability (CWE-89) in CM Informatics' CM News application. The flaw arises from improper neutralization of special elements used in an SQL command, affecting all versions of CM News through 6.0. Published on March 20, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. Successful exploitation enables high-impact violations of confidentiality, integrity, and availability, such as unauthorized data extraction, modification, or deletion from the underlying database.

The sole advisory reference from USOM (https://www.usom.gov.tr/bildirim/tr-25-0072) aligns with vendor confirmation that CM News is no longer supported, indicating no patches or official mitigations are available. Organizations should decommission affected instances and migrate to supported alternatives to reduce exposure.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CM Informatics CM News allows SQL Injection. This issue affects CM News: through 6.0. NOTE: The vendor was contacted and it was learned that the product…

more

is not supported.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection in remotely accessible web app directly enables T1190 for unauthenticated exploitation; facilitates database data extraction via T1213.006 and stored data manipulation (including modification/deletion) via T1565.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-26136Shared CWE-89
CVE-2019-25444Shared CWE-89
CVE-2025-13379Shared CWE-89
CVE-2026-30881Shared CWE-89
CVE-2026-26704Shared CWE-89
CVE-2025-27617Shared CWE-89
CVE-2026-39319Shared CWE-89
CVE-2026-25746Shared CWE-89
CVE-2026-40836Shared CWE-89
CVE-2019-25713Shared CWE-89

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input before it is used in SQL statements, blocking the exact CWE-89 flaw.

prevent

Mandates replacement or decommissioning of the unsupported CM News application for which no patches exist.

detect

Enables continuous monitoring of application and database traffic to identify anomalous SQL patterns indicative of injection attempts.

References