CVE-2024-12016

Critical

Published: 20 March 2025

Published

20 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12016 is a critical-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of unsupported system components like CM News through 6.0, directly mitigating exposure to this unpatchable SQL injection vulnerability by requiring decommissioning.

SI-10 Information Input Validation good match

prevent

Enforces validation of input format, type, range, and length to neutralize special elements in SQL commands, directly preventing SQL injection exploits like CVE-2024-12016.

SI-2 Flaw Remediation partial match

prevent

Requires timely remediation or compensating controls for flaws like CVE-2024-12016, including alternatives to unsupported vulnerable software.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in remotely accessible web app directly enables T1190 for unauthenticated exploitation; facilitates database data extraction via T1213.006 and stored data manipulation (including modification/deletion) via T1565.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CM Informatics CM News allows SQL Injection.This issue affects CM News: through 6.0. NOTE: The vendor was contacted and it was learned that the product is…

not supported.

Deeper analysisAI

CVE-2024-12016 is an SQL Injection vulnerability (CWE-89) in CM Informatics' CM News application. The flaw arises from improper neutralization of special elements used in an SQL command, affecting all versions of CM News through 6.0. Published on March 20, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, requiring only network access and low attack complexity. Successful exploitation enables high-impact violations of confidentiality, integrity, and availability, such as unauthorized data extraction, modification, or deletion from the underlying database.

The sole advisory reference from USOM (https://www.usom.gov.tr/bildirim/tr-25-0072) aligns with vendor confirmation that CM News is no longer supported, indicating no patches or official mitigations are available. Organizations should decommission affected instances and migrate to supported alternatives to reduce exposure.