Cyber Resilience

CVE-2024-12918

HighUpdated

Published: 24 February 2025

Published
24 February 2025
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12918 is a high-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-2024-12918 is an SQL Injection vulnerability (CWE-89), stemming from improper neutralization of special elements used in an SQL command, in Agito Computer Health4All software. This issue affects Health4All versions prior to 10.01.2025.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no user interaction required. Low-privileged authenticated users (PR:L) can exploit it to achieve high impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption.

The USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0042 provides further details on the issue. Mitigation requires updating to Health4All version 10.01.2025 or later.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agito Computer Health4All allows SQL Injection. This issue affects Health4All: before 10.01.2025.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL Injection in a network-accessible application directly enables exploitation of public-facing apps for initial access and high-impact data manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs used in SQL commands, preventing the improper neutralization that enables this SQL injection.

prevent

Mandates timely remediation of the identified flaw by updating Health4All to version 10.01.2025 or later.

prevent

Limits the database-level privileges granted to low-privileged authenticated users who can otherwise exploit the injection.

References