Cyber Resilience

CVE-2025-11242

CriticalUpdated

Published: 10 February 2026

Published
10 February 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-11242 is a critical-severity SSRF (CWE-918) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2025-11242 is a Server-Side Request Forgery (SSRF) vulnerability, mapped to CWE-918, in Okulistik software developed by Teknolist Computer Systems Software Publishing Industry and Trade Inc. The flaw affects all versions of Okulistik through 21102025 and was published on 2026-02-10. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

The vulnerability enables exploitation by unauthenticated remote attackers over the network, with low complexity and no requirement for user interaction. Successful attacks can result in high impacts on confidentiality, integrity, and availability, allowing attackers to forge server-side requests that may lead to unauthorized access to internal systems or resources.

The Turkish National Cyber Incident Response Center (USOM) has issued an advisory on this vulnerability, available at https://www.usom.gov.tr/bildirim/tr-26-0048, which security practitioners should consult for detailed mitigation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Server-Side Request Forgery (SSRF) vulnerability in Teknolist Computer Systems Software Publishing Industry and Trade Inc. Okulistik allows Server Side Request Forgery. This issue affects Okulistik: through 21102025.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in a public-facing web application directly enables remote exploitation of internal resources via forged server requests (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-69299Shared CWE-918
CVE-2026-42398Shared CWE-918
CVE-2026-7025Shared CWE-918
CVE-2025-2691Shared CWE-918
CVE-2025-21385Shared CWE-918
CVE-2026-6625Shared CWE-918
CVE-2026-30118Shared CWE-918

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all URL and request inputs to block forged server-side requests that enable the SSRF flaw in Okulistik.

prevent

Enforces information flow policies that restrict the server from initiating unauthorized outbound requests to internal or external resources.

prevent

Implements boundary controls such as allow-lists or egress filtering to limit the network destinations the vulnerable Okulistik application can reach.

References