Skip to main content

Aykome License Tracking System CVE-2025-6919

CRITICAL
SQL Injection (CWE-89)
2025-10-13 iletisim@usom.gov.tr
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 15:32 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cats Information Technology Software Development Technologies Aykome License Tracking System allows SQL Injection.

This issue affects Aykome License Tracking System: before Version dated 06.10.2025.

AnalysisAI

SQL injection in Cats Information Technology's Aykome License Tracking System (versions prior to the 06.10.2025 build) allows remote unauthenticated attackers to manipulate backend database queries via crafted input. The flaw carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact, though EPSS rates near-term exploitation probability at only 0.04% and no public exploit identified at time of analysis. The vulnerability was disclosed by Turkey's national CERT (USOM) under advisory TR-25-0332.

Technical ContextAI

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning the Aykome License Tracking System concatenates or interpolates untrusted input directly into SQL statements without parameterization or proper escaping. Aykome is a commercial license-tracking platform developed by Cats Bilgi Teknolojileri (Cats Information Technology), typically deployed by Turkish enterprises to manage software license inventories. Because license-tracking systems commonly store sensitive asset, user, and entitlement data, the underlying database is a high-value target for SQLi exploitation including data exfiltration, authentication bypass, and potentially OS-level command execution depending on the DBMS configuration (e.g., xp_cmdshell on MSSQL or UDF abuse on MySQL).

Affected ProductsAI

The Aykome License Tracking System developed by Cats Information Technology Software Development Technologies is affected in all versions released before the 06.10.2025 (October 6, 2025) build. No CPE strings were published in the available NVD data, and exact version numbers are not enumerated - the cutoff is identified by release date rather than semantic version. Vendor and national CERT advisories are available at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0332 and https://www.usom.gov.tr/bildirim/tr-25-0332.

RemediationAI

Upgrade Aykome License Tracking System to the build dated 06.10.2025 or later, as referenced in USOM advisory TR-25-0332 (https://www.usom.gov.tr/bildirim/tr-25-0332 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0332); an exact semantic version number is not published, so verify the build date directly with Cats Information Technology. Until patching is complete, restrict network reachability of the application to trusted management VLANs or place it behind a WAF with SQL injection signatures tuned to the application's parameters (accepting that WAFs are bypassable and add latency), enforce least-privilege database accounts so the application user cannot read system tables or invoke command-execution stored procedures (which may break legitimate admin workflows that rely on elevated DB rights), and increase database query logging to detect anomalous statement patterns. Avoid exposing the system to the public internet pending patch verification.

Share

CVE-2025-6919 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy