CVE-2025-11024: Akilli E-Commerce Blind SQLi Critical Vulnerability
The National Vulnerability Database (NVD) has disclosed CVE-2025-11024, a critical improper neutralization of special elements vulnerability, more commonly known as Blind SQL Injection, in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website. This flaw, rated with a CVSS v3.1 score of 9.8, affects versions prior to 4.5.001.
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands against the underlying database. The ‘blind’ nature means attackers won’t get direct output, but can infer data through timing or error-based responses. This technique is highly effective for data exfiltration, database manipulation, and potentially gaining deeper system access.
For defenders, the implications are severe. A successful exploitation of this flaw can lead to complete compromise of customer data, financial records, and administrative credentials. This puts the entire e-commerce operation, its customers, and its reputation at extreme risk. Patching is not optional; it’s an immediate imperative.
What This Means For You
- If your organization uses Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website, immediately verify your version. If it's prior to 4.5.001, prioritize patching to version 4.5.001 or newer. Conduct a thorough audit of your e-commerce database for any signs of unauthorized access or data exfiltration following this disclosure.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2025-11024: Akilli E-Commerce Blind SQLi in Product Search
title: CVE-2025-11024: Akilli E-Commerce Blind SQLi in Product Search
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2025-11024 by looking for common blind SQL injection payloads within the 'id' parameter of the product search page (/products.php). This is a critical initial access vector.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-11024/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- "' OR '1'='1'--"
- "' OR 1=1 --"
- "' UNION SELECT"
- "' AND (SELECT"
cs-uri|contains:
- "/products.php?id="
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-11024 | SQLi | Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website |
| CVE-2025-11024 | SQLi | E-Commerce Website versions before 4.5.001 |
| CVE-2025-11024 | SQLi | Blind SQL Injection |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 13:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-2347: Critical Authorization Bypass in Akilli E-Commerce Website
CVE-2026-2347 — Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website:...
WordPress InfusedWoo Pro Plugin Vulnerable to Arbitrary File Read (CVE-2026-6514)
CVE-2026-6514 — The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit....
CVE-2026-6512: Critical Authorization Bypass in InfusedWoo Pro WordPress Plugin
CVE-2026-6512 — The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to...