Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aksis Technology Inc. Netty ERP allows SQL Injection.
This issue affects Netty ERP: before V.1.1000.
AnalysisAI
Unauthenticated SQL injection in Aksis Technology Netty ERP versions prior to V.1.1000 allows remote attackers to manipulate backend database queries with full confidentiality, integrity, and availability impact (CVSS 9.8). The flaw is rooted in improper neutralization of special elements in SQL commands (CWE-89), and no public exploit has been identified at time of analysis, though the Turkish national CSIRT (USOM) has issued a public bulletin tracking this issue.
Technical ContextAI
Netty ERP is an enterprise resource planning platform produced by Turkey-based Aksis Technology Inc., commonly deployed for back-office business operations. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated or otherwise incorporated into SQL statements without proper parameterization or escaping. This class of flaw allows an attacker to break out of the intended query context and inject arbitrary SQL syntax, which the backend database executes with the privileges of the ERP application's database account - typically a high-privileged account in ERP deployments. No CPE strings were supplied in the source data, so the affected component within Netty ERP (specific endpoint, parameter, or module) is not enumerable from the provided intelligence.
Affected ProductsAI
Aksis Technology Inc. Netty ERP, all versions before V.1.1000, are affected. No CPE strings were provided in the source intelligence, and no vendor advisory URL was included in the references - the only available pointers are the Turkish national CSIRT bulletin at https://www.usom.gov.tr/bildirim/tr-25-0359 and its mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0359, neither of which enumerates specific affected modules or endpoints.
RemediationAI
Upgrade Netty ERP to V.1.1000 or later, which is the vendor-indicated fix version per the CVE record; consult Aksis Technology directly for release notes and patched binaries, as no vendor advisory URL is present in the references and the only public bulletins are the Turkish USOM advisories at https://www.usom.gov.tr/bildirim/tr-25-0359 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0359. If immediate upgrade is not possible, restrict network exposure of the Netty ERP application to trusted internal networks or VPN-only access (trade-off: breaks remote/mobile worker access and any external integrations), deploy a WAF with SQL injection signature rulesets in front of the application (trade-off: signature-based detection can be bypassed by encoding tricks and may produce false positives on legitimate ERP queries containing SQL-like strings), and enforce least-privilege on the database account used by the application so a successful injection cannot DROP tables or read unrelated schemas (trade-off: requires careful permission mapping to avoid breaking legitimate ERP functions). Enable verbose SQL query logging and review for anomalous UNION, sleep-based, or error-based payloads as a detection compensating control.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today