CVE-2025-5319
Published: 03 February 2026
Summary
CVE-2025-5319 is a critical-severity SQL Injection (CWE-89) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-5319 is an SQL Injection vulnerability (CWE-89), stemming from improper neutralization of special elements used in an SQL command, in the DIGITA Efficiency Management System developed by Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. This issue affects all versions of the DIGITA Efficiency Management System through 03022026.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by any unauthenticated attacker with low attack complexity and no requirement for user interaction. Successful exploitation grants high-impact access to confidential data, allows modification or deletion of database contents, and can disrupt system availability.
An advisory detailing the issue is available at https://www.usom.gov.tr/bildirim/tr-26-0016. The vendor was contacted early regarding this disclosure but provided no response.
No patches or official mitigations have been issued by the vendor, and there is no information on real-world exploitation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206734
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency Management System: through 03022026.…
more
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of a public-facing web application via SQL injection (CWE-89).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input before it is used in SQL commands, preventing the exact CWE-89 flaw described in CVE-2025-5319.
Boundary protection mechanisms such as WAF rules or input-filtering proxies can block or alert on SQL injection payloads targeting the vulnerable DIGITA application.
Least-privilege database accounts limit the confidentiality, integrity, and availability impact when an unauthenticated attacker successfully exploits the SQL injection.