Talent Software UNIS CVE-2025-12504
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software UNIS allows SQL Injection.
This issue affects UNIS: before 42321.
AnalysisAI
Unauthenticated SQL injection in Talent Software UNIS versions prior to 42321 allows remote attackers to manipulate backend database queries over the network without any authentication or user interaction. The vulnerability carries a CVSS 9.8 rating reflecting full compromise potential across confidentiality, integrity, and availability, and was reported by Turkey's national CSIRT (USOM), though no public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input is concatenated into SQL statements without adequate parameterization or sanitization, allowing attacker-supplied syntax to alter query semantics. UNIS is a Talent Software product; no CPE strings were provided in the input data, so the precise affected component (e.g., specific endpoint, parameter, or module) is not enumerated by NVD. The disclosure was coordinated through Turkey's USOM/TR-CERT, which typically handles vulnerabilities in software deployed within Turkish enterprise or government environments.
Affected ProductsAI
Talent Software UNIS, all versions before 42321, is affected per the NVD-provided version range; no CPE string was supplied in the intelligence, and no vendor advisory URL is included beyond the Turkish national CSIRT bulletins at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0435 and https://www.usom.gov.tr/bildirim/tr-25-0435, which serve as the authoritative public references.
RemediationAI
Vendor-released patch: UNIS version 42321 or later - upgrade all UNIS deployments to this build per the version-fixed metadata in NVD and the USOM advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0435 and https://www.usom.gov.tr/bildirim/tr-25-0435. Until the upgrade is applied, restrict network reachability of the UNIS application to trusted management networks or VPN segments to remove the AV:N precondition, and place a web application firewall in front of the application with SQLi signature rules tuned for the specific request parameters (note this can produce false positives on legitimate inputs containing SQL metacharacters and is a stopgap, not a fix); database accounts used by UNIS should be reviewed and granted least privilege so that a successful injection cannot perform administrative operations or pivot to other schemas.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today