CVE-2025-11242
Published: 10 February 2026
Summary
CVE-2025-11242 is a critical-severity SSRF (CWE-918) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2025-11242 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in Okulistik software developed by Teknolist Computer Systems Software Publishing Industry and Trade Inc. The flaw affects all versions of Okulistik through 21102025 and was published on 2026-02-10. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
The vulnerability enables exploitation by unauthenticated remote attackers over the network, with low complexity and no requirement for user interaction. Successful attacks can result in high impacts on confidentiality, integrity, and availability, allowing attackers to forge server-side requests that may lead to unauthorized access to internal systems or resources.
The Turkish National Cyber Incident Response Center (USOM) has issued an advisory on this vulnerability, available at https://www.usom.gov.tr/bildirim/tr-26-0048, which security practitioners should consult for detailed mitigation guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207352
Vulnerability details
Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade Inc. Okulistik allows Server Side Request Forgery. This issue affects Okulistik: through 21102025.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in a public-facing web application directly enables remote exploitation of internal resources via forged server requests (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all URL and request inputs to block forged server-side requests that enable the SSRF flaw in Okulistik.
Enforces information flow policies that restrict the server from initiating unauthorized outbound requests to internal or external resources.
Implements boundary controls such as allow-lists or egress filtering to limit the network destinations the vulnerable Okulistik application can reach.