CVE-2024-8997
Published: 18 March 2025
Summary
CVE-2024-8997 is a critical-severity SQL Injection (CWE-89) vulnerability in Vestel Evc04 Configuration Interface. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-8997 is an SQL injection vulnerability stemming from improper neutralization of special elements used in an SQL command (CWE-89). It affects the Vestel EVC04 Configuration Interface in versions prior to V3.187 and V4.53, allowing attackers to inject malicious SQL queries into the interface.
The vulnerability has a CVSS v3.1 base score of 9.8 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Remote attackers require no privileges, authentication, or user interaction and face low attack complexity over the network. Successful exploitation can result in high-impact compromise of confidentiality, integrity, and availability, potentially enabling full data exfiltration, modification, or denial of service on the affected system.
The primary advisory reference is available from USOM at https://www.usom.gov.tr/bildirim/tr-25-0070, which provides additional details relevant to mitigation strategies for this vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54122
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vestel EVC04 Configuration Interface allows SQL Injection. This issue affects EVC04 Configuration Interface: before V3.187, V4.53.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the public-facing Vestel EVC04 Configuration Interface allows remote unauthenticated attackers to inject malicious SQL queries, directly mapping to exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of inputs before they are used in SQL commands, eliminating the root cause of CWE-89 in the EVC04 interface.
Mandates prompt application of vendor patches (V3.187 / V4.53) that correct the improper neutralization flaw.
Enables monitoring of query patterns and anomalies that would indicate attempted or successful SQL injection against the configuration interface.