The vulnerability identified as CVE-2024-13147 in Merkur Software's B2B Login Panel is an SQL Injection flaw (CWE-89) that arises from improper neutralization of special elements in SQL commands. This allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to full system compromise. The issue affects all versions prior to 15.01.2025. The CVSS 3.1 base score is 9.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity and no required privileges or user interaction. No patch or official remediation level has been disclosed by the vendor as of the publication date.

Successful exploitation of this vulnerability could allow attackers to execute arbitrary SQL commands on the backend database, leading to unauthorized data disclosure, modification, or deletion, and potentially full system compromise. The critical CVSS score (9.8) reflects the high severity and ease of exploitation without authentication or user interaction. No known exploits have been reported in the wild so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider implementing web application firewall (WAF) rules to detect and block SQL injection attempts and restrict database permissions to minimize potential damage. Monitor vendor channels for official fixes and apply updates promptly once released.