Cyber Resilience

CVE-2025-9953

CriticalUpdated

Published: 19 February 2026

Published
19 February 2026
Modified
25 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 26.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-9953 is a critical-severity Authorization Bypass Through User-Controlled SQL Primary Key (CWE-566) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-9953 is an authorization bypass vulnerability stemming from a user-controlled SQL primary key, enabling SQL injection in Databank Accreditation Software developed by DATABASE Software Training Consulting Ltd. The flaw affects all versions of the software up to and including 19022026. Assigned CWE-566, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.

Remote attackers require no authentication or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows arbitrary SQL injection, bypassing authorization controls to achieve high-impact confidentiality, integrity, and availability violations, such as unauthorized data access, modification, or deletion within the affected database.

The sole referenced advisory from the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-26-0078 details the vulnerability. The vendor was notified early but provided no response, and no patches or mitigations are available from the vendor as of the CVE publication on 2026-02-19.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows SQL Injection. This issue affects Databank Accreditation Software: before 2026/04.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated SQL injection in a public-facing web application enabling full database compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21886Shared CWE-566
CVE-2025-61781Shared CWE-566

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied inputs such as SQL primary keys to reject malformed or malicious values that enable injection.

prevent

Enforces authorization decisions on every access attempt, blocking the unauthorized database operations that result from the bypassed primary-key check.

detect

Monitors inbound queries and database interactions for anomalous SQL patterns indicative of the primary-key injection attack in progress.

References