CVE-2024-13147
Published: 05 March 2025
Summary
CVE-2024-13147 is a critical-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13147 is an SQL Injection vulnerability stemming from improper neutralization of special elements used in an SQL command (CWE-89) in the Merkur Software B2B Login Panel. This flaw affects versions of the B2B Login Panel prior to 15.01.2025.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no requirement for user interaction. Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially enabling unauthorized database access, data manipulation, or disruption of services.
For mitigation guidance, refer to the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0054. Organizations should upgrade to B2B Login Panel version 15.01.2025 or later to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54006
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Merkur Software B2B Login Panel allows SQL Injection. This issue affects B2B Login Panel: before 15.01.2025.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL Injection in public-facing B2B Login Panel enables remote unauthenticated exploitation of the web application for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input to block specially crafted SQL elements before they reach the database.
Mandates timely remediation of identified flaws such as the CWE-89 SQL injection in the B2B Login Panel by applying the vendor patch (v15.01.2025+).
Enables monitoring of application and database interactions to identify anomalous SQL statements or injection attempts originating from the login panel.