CVE-2025-10969

Critical

Published: 12 February 2026

Published

12 February 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 3.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10969 is a critical-severity SQL Injection (CWE-89) vulnerability in Farktor E-Commerce Package. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents blind SQL injection by validating and sanitizing user inputs before incorporation into SQL commands.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by requiring timely patching or updating of the affected E-Commerce Package software.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Identifies SQL injection vulnerabilities like CVE-2025-10969 through automated scanning of the system.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote unauthenticated SQL injection in a public-facing e-commerce web application enables initial access via exploitation of the exposed service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Blind SQL Injection.This issue affects E-Commerce Package: through 27112025.

Deeper analysisAI

CVE-2025-10969 is an Improper Neutralization of Special Elements used in an SQL Command vulnerability, classified as SQL Injection and specifically enabling Blind SQL Injection, in the E-Commerce Package from Farktor Software E-Commerce Services Inc. The issue affects all versions of the E-Commerce Package through 27112025. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts on confidentiality, integrity, and availability.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows attackers to perform Blind SQL Injection, enabling them to infer and extract sensitive data from the underlying database, modify database contents, or disrupt service availability.

The primary advisory reference is from USOM at https://www.usom.gov.tr/bildirim/tr-26-0063, which security practitioners should consult for detailed mitigation guidance, such as applying patches if available or implementing input validation and prepared statements.