Cyber Posture

CVE-2025-9986

High

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0005 14.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9986 is a high-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Gov (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring identification, reporting, and timely remediation of the specific software flaw exposing sensitive system information.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for logical access, preventing unauthorized entities from exploiting the vulnerability to access sensitive system information.

SC-7 Boundary Protection good match
prevent

Monitors and controls communications at external boundaries, blocking unauthenticated remote attackers from reaching and exploiting the information exposure over the network.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Unauthenticated remote network exploitation of public-facing software directly matches T1190; resulting exposure of sensitive system information enables T1005.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation.This issue affects DIGIKENT: through 13092025.

Deeper analysisAI

CVE-2025-9986 is an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability (CWE-497) in DIGIKENT software from Vadi Corporate Information Systems Ltd. Co. This issue affects DIGIKENT versions through 13092025 and was published on 2026-02-11. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables the attacker to access highly sensitive system information exposed to an unauthorized control sphere and achieve low-impact integrity modifications.

Mitigation details are available in the advisory published by USOM at https://www.usom.gov.tr/bildirim/tr-26-0056.

Details

CWE(s)
CWE-497

Affected Products

Gov
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-13616Shared CWE-497
CVE-2026-27494Shared CWE-497
CVE-2026-34413Shared CWE-497
CVE-2025-9110Shared CWE-497
CVE-2026-24222Shared CWE-497
CVE-2025-1144Shared CWE-497
CVE-2026-24536Shared CWE-497
CVE-2026-24523Shared CWE-497
CVE-2025-47378Shared CWE-497
CVE-2024-13999Shared CWE-497

References