CVE-2024-12918
Published: 24 February 2025
Summary
CVE-2024-12918 is a high-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-2024-12918 is an SQL Injection vulnerability (CWE-89), stemming from improper neutralization of special elements used in an SQL command, in Agito Computer Health4All software. This issue affects Health4All versions prior to 10.01.2025.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no user interaction required. Low-privileged authenticated users (PR:L) can exploit it to achieve high impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption.
The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0042 provides further details on the issue. Mitigation requires updating to Health4All version 10.01.2025 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4360
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Health4All allows SQL Injection. This issue affects Health4All: before 10.01.2025.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL Injection in a network-accessible application directly enables exploitation of public-facing apps for initial access and high-impact data manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs used in SQL commands, preventing the improper neutralization that enables this SQL injection.
Mandates timely remediation of the identified flaw by updating Health4All to version 10.01.2025 or later.
Limits the database-level privileges granted to low-privileged authenticated users who can otherwise exploit the injection.