Skip to main content

Rolantis Agentis CVE-2025-4285

CRITICAL
SQL Injection (CWE-89)
2025-07-22 iletisim@usom.gov.tr
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 18:33 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection.

This issue affects Agentis: before 4.32.

AnalysisAI

SQL injection in Rolantis Information Technologies Agentis versions prior to 4.32 allows remote unauthenticated attackers to inject arbitrary SQL commands with scope change, enabling full compromise of confidentiality, integrity, and availability (CVSS 10.0). The flaw was reported by Turkey's national CERT (USOM) and carries no public exploit identified at time of analysis, though the maximum CVSS score and trivial attack profile make this a high-priority patch despite the modest EPSS of 0.24%.

Technical ContextAI

Agentis is a business application produced by Turkish vendor Rolantis Information Technologies; the affected component fails to neutralize special characters in user-controlled input that is incorporated into SQL queries (CWE-89). Because the CVSS vector reports S:C (scope changed), the injection point likely allows the attacker to break out of the database context and influence resources beyond the vulnerable component - typical when the SQL backend has elevated privileges or executes OS-level functions. Exact injection sinks are not disclosed in the public advisories, which are hosted on USOM (Turkish National Cyber Incident Response Center) rather than vendor pages.

Affected ProductsAI

Rolantis Information Technologies Agentis at all versions before 4.32 is affected. No CPE entries were supplied in the input data, and no vendor advisory URL was provided - the only references are the Turkish national CERT bulletin at https://www.usom.gov.tr/bildirim/tr-25-0168 and its mirror at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0168, both of which serve as the authoritative public source for the affected version range.

RemediationAI

Upgrade Rolantis Agentis to version 4.32 or later, which is the fixed release identified in the USOM advisory at https://www.usom.gov.tr/bildirim/tr-25-0168. Patch status: vendor-released patch corresponds to Agentis 4.32 per the advisory's 'before 4.32' wording. If immediate patching is not possible, restrict network reachability of the Agentis application to trusted internal networks via firewall or VPN gating (trade-off: breaks any legitimate external/partner access), place a WAF in front of the application with strict SQLi rule sets tuned to block tautology, union-based, and time-based payloads (trade-off: WAFs can be bypassed and may generate false positives on legitimate complex queries), and ensure the database account used by Agentis is granted least-privilege rights so that even successful injection cannot reach administrative SQL functions like xp_cmdshell or file_priv (trade-off: may require application reconfiguration and break some features). Monitor database query logs for anomalous patterns referencing system tables or stacked queries during the mitigation window.

Share

CVE-2025-4285 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy