Skip to main content

Abis BAPSIS CVE-2025-6520

CRITICAL
SQL Injection (CWE-89)
2025-10-31 iletisim@usom.gov.tr
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:32 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Abis Technology BAPSIS allows Blind SQL Injection.

This issue affects BAPSIS: before 202510271606.

AnalysisAI

Blind SQL injection in Abis Technology BAPSIS versions prior to 202510271606 allows unauthenticated remote attackers to manipulate backend database queries over the network with no user interaction. The CVSS 9.8 rating reflects full compromise of confidentiality, integrity, and availability, though EPSS remains very low at 0.04% (13th percentile) and no public exploit identified at time of analysis. Disclosure originates from Turkey's national CERT (USOM), suggesting regional product exposure rather than mass-market footprint.

Technical ContextAI

BAPSIS is a product from Turkish vendor Abis Technology, advertised through references hosted on Turkey's national cybersecurity portal (siberguvenlik.gov.tr) and USOM. The flaw is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically the blind variant, meaning the attacker infers query results from response timing or boolean differences rather than direct error/output reflection. This typically arises when user-controlled input is concatenated into SQL statements without parameterized queries or strict input validation, and blind injection is often the residual class left when error suppression or generic responses hide direct output but the underlying query is still attacker-controllable.

Affected ProductsAI

Abis Technology BAPSIS is affected in all versions released before build/version 202510271606. No CPE strings were provided in the intelligence input, so exact CPE-based asset matching cannot be performed from this dataset alone. Vendor and national CERT advisories are published at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0365 and https://www.usom.gov.tr/bildirim/tr-25-0365.

RemediationAI

Upgrade BAPSIS to version 202510271606 or later as the primary fix; this version string is cited in the advisory as the first non-vulnerable build. Consult the vendor and USOM advisories at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0365 and https://www.usom.gov.tr/bildirim/tr-25-0365 for any operator-specific guidance. If patching cannot be performed immediately, place a web application firewall in front of BAPSIS with SQLi signatures tuned for blind/time-based payloads (boolean and SLEEP/BENCHMARK patterns) - accepting the trade-off that WAF rules can be bypassed and may produce false positives on legitimate analytic queries - and restrict network reachability of the BAPSIS application to trusted networks or VPN-fronted access only to remove the AV:N exposure until the upgrade is applied.

Share

CVE-2025-6520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy