CVE-2024-4259 identifies a missing authorization vulnerability (CWE-862) in two components of SAMPAŞ Holding's AKOS platform: AkosCepVatandasService (versions before 2.0) and TahsilatService (versions before 1.0.7). These services are designed to handle citizen-related data and payment collection functionalities, respectively. The vulnerability arises because the affected services do not properly enforce authorization checks before allowing access to data provided by users. Consequently, an unauthenticated attacker can remotely invoke these services over the network without any user interaction or privileges and retrieve data that should be protected. The CVSS v4.0 score of 6.9 reflects a medium severity level, with attack vector being network-based, low attack complexity, no authentication or user interaction required, and limited confidentiality and integrity impacts. The vulnerability does not affect availability and has a limited scope confined to the vulnerable services. No patches or exploits are currently publicly available, but the issue is officially published and tracked by TR-CERT. This vulnerability highlights a critical security design flaw in access control mechanisms within these AKOS services, potentially exposing sensitive user or payment data to unauthorized parties.

For European organizations, the primary impact of CVE-2024-4259 is unauthorized data disclosure and potential data integrity issues within systems using the affected AKOS services. Organizations that rely on SAMPAŞ Holding's AKOS platform for citizen data management or payment processing could face data breaches, leading to privacy violations under GDPR and reputational damage. The lack of authentication and authorization checks means attackers can remotely access sensitive information without any credentials, increasing the risk of data leakage. Although availability is not impacted, the confidentiality breach could facilitate further attacks or fraud. Financial institutions, government agencies, and service providers interfacing with Turkish entities or using these services in Europe are particularly at risk. The medium severity rating suggests that while the vulnerability is serious, it does not allow full system compromise or widespread disruption but still requires urgent remediation to prevent exploitation.

1. Immediately upgrade affected AKOS services to versions 2.0 or later for AkosCepVatandasService and 1.0.7 or later for TahsilatService once patches are released by SAMPAŞ Holding. 2. Until patches are available, restrict network access to these services using firewall rules or network segmentation to limit exposure to trusted internal users only. 3. Implement additional authorization checks at the application or API gateway level to enforce strict access control policies, ensuring only authenticated and authorized users can invoke sensitive service endpoints. 4. Conduct thorough code reviews and penetration testing focused on authorization logic to identify and remediate similar flaws in other components. 5. Monitor logs and network traffic for unusual access patterns or unauthorized data retrieval attempts targeting these services. 6. Educate development and security teams on secure coding practices related to authorization and access control to prevent recurrence. 7. Coordinate with SAMPAŞ Holding and TR-CERT for updates and advisories regarding this vulnerability.