CVE-2024-13152: Panel SQLi — CRITICAL

CISO Take

CVE-2024-13152 is a CVSS 10.0 SQL injection in the Mobuy Online Machinery Monitoring Panel that requires zero authentication — any unauthenticated attacker with network reach can read, alter, or destroy the entire database backing your ML monitoring infrastructure. The changed scope flag (S:C) signals potential blast radius beyond the panel itself, and with 30 CVEs already against this package and an OpenSSF score of 6.5/10, this vendor carries systemic security debt that should trigger immediate procurement risk review. No public exploit is listed and the CVE is absent from CISA KEV, but unauthenticated network SQL injection is weaponized in hours once discovered — exploitability is trivial regardless of EPSS lag. Upgrade to version 2.0 immediately; if patching is delayed, isolate the panel behind a VPN or IP allowlist and deploy WAF rules blocking SQL injection payloads.

Sources: NVD ATLAS OpenSSF siberguvenlik.gov.tr

What is the risk?

Maximum exploitability profile: network-reachable, no authentication, no user interaction, low complexity — CVSS 10.0 is not an overstatement. The changed scope component means the blast radius extends beyond the Mobuy Panel database to adjacent resources sharing the same infrastructure, including ML model configuration stores and operational data pipelines. The package's track record (30 CVEs, OpenSSF 6.5/10) suggests no single patch ends the exposure window — organizations should treat this as a vendor risk signal, not just a one-off patch event. Absent from CISA KEV for now, but the attack surface for any internet-exposed instance is effectively zero-day exploitable by unsophisticated actors.

How does the attack unfold?

Reconnaissance

Adversary uses Shodan, Censys, or targeted port scanning to identify internet-exposed Mobuy Online Machinery Monitoring Panel instances by banner or response fingerprint.

AML.T0006

Initial Access

Adversary sends a crafted unauthenticated HTTP request with a SQL injection payload (UNION-based or blind) to a vulnerable panel endpoint — no credentials or user interaction required.

AML.T0049

Collection

Via chained SQL queries, adversary enumerates the database schema and dumps all tables: sensor readings, ML model configurations, user credentials, API keys, and audit logs.

AML.T0037

Impact

Adversary exfiltrates ML operational data for competitive intelligence, injects falsified sensor readings to corrupt anomaly detection outputs, or uses harvested credentials to pivot into adjacent ML services and cloud infrastructure.

AML.T0025

Reconnaissance

Adversary uses Shodan, Censys, or targeted port scanning to identify internet-exposed Mobuy Online Machinery Monitoring Panel instances by banner or response fingerprint.

AML.T0006

Initial Access

Adversary sends a crafted unauthenticated HTTP request with a SQL injection payload (UNION-based or blind) to a vulnerable panel endpoint — no credentials or user interaction required.

AML.T0049

Collection

Via chained SQL queries, adversary enumerates the database schema and dumps all tables: sensor readings, ML model configurations, user credentials, API keys, and audit logs.

AML.T0037

Impact

Adversary exfiltrates ML operational data for competitive intelligence, injects falsified sensor readings to corrupt anomaly detection outputs, or uses harvested credentials to pivot into adjacent ML services and cloud infrastructure.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Panel	pip	—	No patch
5.7K OpenSSF 6.5 479 dependents Pushed 6d ago 53% patched ~6d to patch Full package profile →

Do you use Panel? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

7 steps

Patch immediately: upgrade Mobuy Online Machinery Monitoring Panel to version 2.0 or later per the vendor advisory at siberguvenlik.gov.tr/tr-25-0033.
If patching is delayed, place the panel behind a VPN or restrict ingress to known IP ranges at the firewall — eliminate any internet-facing exposure.
Deploy WAF rules targeting SQL injection patterns (ModSecurity CRS or equivalent) as a compensating control.
Audit database user privileges — the application account must have least-privilege access only; revoke any administrative or OS-level execution rights (xp_cmdshell, COPY, superuser).
Review database query logs for anomalous patterns indicating prior exploitation: UNION SELECT, time-based sleep functions, unusual large result sets, or unexpected schema enumeration queries.
Rotate all credentials (database passwords, API keys, service tokens) accessible via or stored in the panel database.
If ML training pipelines ingest data from this panel's database, verify data integrity before the next training run — check for injected anomalies in sensor readings.

How is it classified?

Data Extraction Auth Bypass Code Execution Framework AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Security of AI system

NIST AI RMF

GOVERN 1.3 - Organizational roles and responsibilities for AI risk management MANAGE 2.2 - Treatments, responses, and recovery plans for AI risks

Frequently Asked Questions

What is CVE-2024-13152?

CVE-2024-13152 is a CVSS 10.0 SQL injection in the Mobuy Online Machinery Monitoring Panel that requires zero authentication — any unauthenticated attacker with network reach can read, alter, or destroy the entire database backing your ML monitoring infrastructure. The changed scope flag (S:C) signals potential blast radius beyond the panel itself, and with 30 CVEs already against this package and an OpenSSF score of 6.5/10, this vendor carries systemic security debt that should trigger immediate procurement risk review. No public exploit is listed and the CVE is absent from CISA KEV, but unauthenticated network SQL injection is weaponized in hours once discovered — exploitability is trivial regardless of EPSS lag. Upgrade to version 2.0 immediately; if patching is delayed, isolate the panel behind a VPN or IP allowlist and deploy WAF rules blocking SQL injection payloads.

Is CVE-2024-13152 actively exploited?

No confirmed active exploitation of CVE-2024-13152 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-13152?

1. Patch immediately: upgrade Mobuy Online Machinery Monitoring Panel to version 2.0 or later per the vendor advisory at siberguvenlik.gov.tr/tr-25-0033. 2. If patching is delayed, place the panel behind a VPN or restrict ingress to known IP ranges at the firewall — eliminate any internet-facing exposure. 3. Deploy WAF rules targeting SQL injection patterns (ModSecurity CRS or equivalent) as a compensating control. 4. Audit database user privileges — the application account must have least-privilege access only; revoke any administrative or OS-level execution rights (xp_cmdshell, COPY, superuser). 5. Review database query logs for anomalous patterns indicating prior exploitation: UNION SELECT, time-based sleep functions, unusual large result sets, or unexpected schema enumeration queries. 6. Rotate all credentials (database passwords, API keys, service tokens) accessible via or stored in the panel database. 7. If ML training pipelines ingest data from this panel's database, verify data integrity before the next training run — check for injected anomalies in sensor readings.

What systems are affected by CVE-2024-13152?

This vulnerability affects the following AI/ML architecture patterns: Industrial ML monitoring dashboards, Predictive maintenance pipelines, Time-series anomaly detection systems, ML UI and operational dashboards, ML model serving with database backends.

What is the CVSS score for CVE-2024-13152?

CVE-2024-13152 has a CVSS v3.1 base score of 10.0 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

Industrial ML monitoring dashboardsPredictive maintenance pipelinesTime-series anomaly detection systemsML UI and operational dashboardsML model serving with database backends

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: GOVERN 1.3, MANAGE 2.2

What are the technical details?

Original Advisory

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection. This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0.

Exploitation Scenario

An adversary targeting industrial AI/ML monitoring infrastructure identifies an internet-exposed Mobuy Panel instance via Shodan or a targeted port scan on common web ports. With no authentication required, they send a crafted HTTP GET or POST request to a vulnerable endpoint, embedding a UNION-based SQL payload that extracts the database schema. Within minutes, they enumerate all tables — sensor readings, anomaly detection thresholds, ML model performance metrics, user accounts, and API credentials. Using the harvested credentials, the adversary authenticates to adjacent ML services or cloud storage buckets. In the most impactful scenario, they inject fabricated sensor readings over several days, causing the predictive maintenance ML model to generate false negatives, silently masking real equipment failures and potentially enabling a physical industrial incident. Alternatively, they exfiltrate years of proprietary operational data for competitive intelligence or to train a proxy model replicating the victim's ML system.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.