CVE-2025-9953
Published: 19 February 2026
Summary
CVE-2025-9953 is a critical-severity Authorization Bypass Through User-Controlled SQL Primary Key (CWE-566) vulnerability in Gov (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-9953 is an authorization bypass vulnerability stemming from a user-controlled SQL primary key, enabling SQL injection in Databank Accreditation Software developed by DATABASE Software Training Consulting Ltd. The flaw affects all versions of the software up to and including 19022026. Assigned CWE-566, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Remote attackers require no authentication or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows arbitrary SQL injection, bypassing authorization controls to achieve high-impact confidentiality, integrity, and availability violations, such as unauthorized data access, modification, or deletion within the affected database.
The sole referenced advisory from the Turkish National Cyber Incident Response Center (USOM) at https://www.usom.gov.tr/bildirim/tr-26-0078 details the vulnerability. The vendor was notified early but provided no response, and no patches or mitigations are available from the vendor as of the CVE publication on 2026-02-19.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207685
Vulnerability details
Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows SQL Injection. This issue affects Databank Accreditation Software: before 2026/04.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing web application enabling full database compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied inputs such as SQL primary keys to reject malformed or malicious values that enable injection.
Enforces authorization decisions on every access attempt, blocking the unauthorized database operations that result from the bypassed primary-key check.
Monitors inbound queries and database interactions for anomalous SQL patterns indicative of the primary-key injection attack in progress.