Cyber Resilience

CVE-2024-9149

HighUpdated

Published: 04 March 2025

Published
04 March 2025
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0007 22.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-9149 is a high-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-9149 is an SQL Injection vulnerability (CWE-89) stemming from improper neutralization of special elements in SQL commands within the Wind Media E-Commerce Website Template. This flaw affects all versions prior to v1.5 and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

Remote attackers without authentication can exploit the vulnerability by injecting malicious SQL payloads into affected inputs, potentially extracting sensitive data (high confidentiality impact), making limited modifications (low integrity impact), or causing partial denial of service (low availability impact). The unchanged scope suggests exploitation remains confined to the vulnerable component.

The Turkish National Cyber Incident Response Center (USOM) advisory at https://www.usom.gov.tr/bildirim/tr-25-0051 provides further details; mitigation requires upgrading to E-Commerce Website Template v1.5 or later to address the injection flaw.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wind Media E-Commerce Website Template allows SQL Injection. This issue affects E-Commerce Website Template: before v1.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL Injection vulnerability in public-facing web application directly enables T1190 Exploit Public-Facing Application for remote unauthenticated initial access and data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted inputs before they are used in SQL statements, eliminating the root cause of the CWE-89 flaw.

prevent

Mandates timely application of the vendor patch (upgrade to v1.5) that corrects the improper neutralization in the E-Commerce Website Template.

detect

Enables continuous monitoring and anomaly detection on database queries or web inputs that could indicate attempted SQL injection exploitation.

References