Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting Information Processing Industry and Foreign Trade Inc. Winsure allows Blind SQL Injection.
This issue affects Winsure: through Version dated 21.08.2025.
AnalysisAI
Blind SQL injection in SFS Consulting's Winsure platform (all versions through the 21.08.2025 release) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The flaw carries a CVSS 9.8 rating reflecting network-reachable, low-complexity exploitation with no privileges or user interaction required, and no public exploit identified at time of analysis. The advisory was issued by Turkey's national CERT (USOM), suggesting regional relevance to Turkish insurance-sector deployments.
Technical ContextAI
Winsure is an insurance industry application produced by SFS Consulting Information Processing Industry and Foreign Trade Inc., a Turkey-based vendor serving the insurance/financial sector. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated or interpolated into SQL statements without parameterization or proper escaping. The 'Blind' qualifier indicates the application does not return query results or verbose errors directly, so exploitation typically relies on boolean-based or time-based inference techniques (e.g., conditional WAITFOR/SLEEP/BENCHMARK payloads) to extract data character-by-character. No CPE strings were published in the available NVD record, so the precise underlying database engine and affected modules are not enumerated.
Affected ProductsAI
The vulnerability affects Winsure by SFS Consulting Information Processing Industry and Foreign Trade Inc. through the version dated 21.08.2025 (i.e., all releases up to and including the August 21, 2025 build). No CPE 2.3 strings were published in the supplied NVD data, and no precise edition or module list is enumerated. Vendor and national-CERT references are available at the Turkish CSIRT advisory https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0337 and the USOM bulletin https://www.usom.gov.tr/bildirim/tr-25-0337.
RemediationAI
No vendor-released patch version was identified at time of analysis in the provided data - operators should contact SFS Consulting directly and consult the USOM/Turkish CSIRT advisories at https://www.usom.gov.tr/bildirim/tr-25-0337 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0337 to obtain the post-21.08.2025 fixed build. As compensating controls until a fix is applied, deploy a WAF in front of the Winsure web tier with SQLi signatures tuned for blind/time-based payloads (accepting the risk of false positives on insurance forms that legitimately contain quotes or special characters), restrict network reachability of the Winsure application to known broker/agent IP ranges via firewall ACLs or VPN-only access (which will block legitimate field users not on the corporate network), enforce least-privilege on the database account used by the application so successful injection cannot escalate to schema modification or xp_cmdshell-style RCE, and enable verbose database query logging plus alerting on time-delay primitives such as WAITFOR, SLEEP, BENCHMARK, or unusually long-running queries.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today