Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection.
This issue affects Agentis: before 4.32.
AnalysisAI
SQL injection in Rolantis Information Technologies Agentis versions prior to 4.32 allows remote unauthenticated attackers to inject arbitrary SQL commands with scope change, enabling full compromise of confidentiality, integrity, and availability (CVSS 10.0). The flaw was reported by Turkey's national CERT (USOM) and carries no public exploit identified at time of analysis, though the maximum CVSS score and trivial attack profile make this a high-priority patch despite the modest EPSS of 0.24%.
Technical ContextAI
Agentis is a business application produced by Turkish vendor Rolantis Information Technologies; the affected component fails to neutralize special characters in user-controlled input that is incorporated into SQL queries (CWE-89). Because the CVSS vector reports S:C (scope changed), the injection point likely allows the attacker to break out of the database context and influence resources beyond the vulnerable component - typical when the SQL backend has elevated privileges or executes OS-level functions. Exact injection sinks are not disclosed in the public advisories, which are hosted on USOM (Turkish National Cyber Incident Response Center) rather than vendor pages.
Affected ProductsAI
Rolantis Information Technologies Agentis at all versions before 4.32 is affected. No CPE entries were supplied in the input data, and no vendor advisory URL was provided - the only references are the Turkish national CERT bulletin at https://www.usom.gov.tr/bildirim/tr-25-0168 and its mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0168, both of which serve as the authoritative public source for the affected version range.
RemediationAI
Upgrade Rolantis Agentis to version 4.32 or later, which is the fixed release identified in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0168. Patch status: vendor-released patch corresponds to Agentis 4.32 per the advisory's 'before 4.32' wording. If immediate patching is not possible, restrict network reachability of the Agentis application to trusted internal networks via firewall or VPN gating (trade-off: breaks any legitimate external/partner access), place a WAF in front of the application with strict SQLi rule sets tuned to block tautology, union-based, and time-based payloads (trade-off: WAFs can be bypassed and may generate false positives on legitimate complex queries), and ensure the database account used by Agentis is granted least-privilege rights so that even successful injection cannot reach administrative SQL functions like xp_cmdshell or file_priv (trade-off: may require application reconfiguration and break some features). Monitor database query logs for anomalous patterns referencing system tables or stacked queries during the mitigation window.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today