What is the CVSS score of CVE-2025-11024?

CVE-2025-11024 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of E-Commerce Website are affected by CVE-2025-11024?

Akilli Commerce Software Technologies E-Commerce platform versions before 4.5.001 contain a critical remote SQL injection vulnerability (CVSS 9.8) exploitable without authentication, enabling…. A patch is available.

How to fix or mitigate CVE-2025-11024?

Within 24 hours: Identify all Akilli Commerce deployments in your environment and confirm installed versions; immediately isolate affected systems from production networks if version is below 4.5.001 or consult vendor for version confirmation. Within 7 days: Contact Akilli Commerce Software Technologies directly for emergency patch availability, upgrade timeline, or interim security builds; implement network-level access controls restricting database query interfaces to authorized systems only. Within 30 days: Complete migration to Akilli Commerce version 4.5.001 or later once vendor patch confirmation is obtained; conduct full database audit for unauthorized access, data exfiltration, or malicious modifications.

E-Commerce Website CVE-2025-11024

EUVD-2025-209838 CRITICAL

SQL Injection (CWE-89)

2026-05-14 TR-CERT

GHSA-6g4r-8638-677q

SQLi

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 14, 2026 - 11:01 EUVD

Analysis Generated

May 14, 2026 - 10:15 vuln.today

CVE Published

May 14, 2026 - 09:21 nvd

CRITICAL 9.8

DescriptionNVD

Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection.

This issue affects E-Commerce Website: before 4.5.001.

AnalysisAI

Remote unauthenticated SQL injection in Akilli Commerce Software Technologies E-Commerce Website before version 4.5.001 allows complete database compromise without authentication. The vulnerability permits blind SQL injection attacks with network-level access and low complexity (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), achieving full confidentiality, integrity, and availability impact (9.8 critical severity). TR-CERT (Turkish national CERT) published this advisory, indicating regional significance for Turkish e-commerce deployments. No public exploit identified at time of analysis, with EPSS risk data and CISA KEV status unavailable for initial assessment.

Technical ContextAI

This vulnerability stems from CWE-89 (SQL Injection), where the application fails to properly sanitize or parameterize user-supplied input before incorporating it into SQL queries. The affected system is Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website (CPE: cpe:2.3:a:akilli_commerce_software_technologies_ltd._co.:e-commerce_website), a Turkish e-commerce platform. Blind SQL injection differs from traditional SQLi by not directly displaying query results but allowing attackers to infer database contents through time-based delays, boolean logic responses, or error behaviors. With network-accessible vectors (AV:N) and no authentication requirements (PR:N), any remote attacker can directly query externally-facing application endpoints. The low attack complexity (AC:L) suggests exploitation requires no specialized conditions like race conditions or complex timing, making it reliably exploitable with standard SQLi tools like sqlmap or manual payloads.

RemediationAI

Upgrade immediately to E-Commerce Website version 4.5.001 or later, which addresses the SQL injection vulnerability according to version-based scope in the CVE disclosure. Obtain the patched version from Akilli Commerce Software Technologies Ltd. Co. through official channels and consult the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222 for additional vendor guidance. If immediate patching is not feasible, implement emergency compensating controls: deploy a web application firewall (WAF) with SQL injection signature detection and blocking rules (consider that blind SQLi may evade basic filters - enable query inspection and time-delay anomaly detection); restrict application database user privileges to minimum required operations only, removing DROP, CREATE, and administrative privileges to limit post-exploitation impact (note: attackers can still exfiltrate data accessible to the application user); enable database query logging and monitor for suspicious patterns like WAITFOR DELAY, BENCHMARK(), or boolean tautologies (this creates performance overhead and does not prevent exploitation, only aids detection). Network segmentation to isolate database servers from direct internet access provides defense-in-depth but does not mitigate application-layer exploitation. All compensating controls are partial risk reduction only - version upgrade to 4.5.001 is the definitive remediation.

CVE-2025-11024 vulnerability details – vuln.today

Back

E-Commerce Website CVE-2025-11024

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code