MEDIUM 5.3

CVE-2018-25387: HaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset

HaPe PKH 1.1 contains a cross-site request forgery (CSRF) vulnerability that enables attackers to change administrator passwords without needing to log in. An attacker can trick an authenticated administrator into visiting a malicious website or clicking a crafted link, which silently submits a forged request to modify admin credentials. This allows complete account takeover of administrative users.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25387 is a CSRF vulnerability (CWE-352) in HaPe PKH 1.1 affecting the aksi_user.php user update endpoint. The vulnerability stems from insufficient anti-CSRF protections on password change operations. Attackers craft HTML forms or JavaScript that, when loaded by an authenticated admin, automatically submit POST requests with parameters such as id_user, password, and level to alter administrator accounts. The endpoint fails to validate request origin or implement token-based CSRF protections, allowing unauthenticated attackers to perform state-changing actions on behalf of legitimate users.

Business impact

Successful exploitation results in complete administrative account compromise. An attacker can reset admin passwords and potentially lock out legitimate administrators, disrupt system operations, modify user permissions, or establish persistent access to HaPe PKH systems. Organizations relying on HaPe PKH for user management face loss of administrative control and potential data tampering within the application's scope.

Affected systems

HaPe PKH version 1.1 is affected. No other versions have been specified in available vulnerability data. Verify your specific deployment version against the vendor advisory to confirm exposure.

Exploitability

This vulnerability requires no network authentication or special privileges to exploit; however, it does require user interaction—specifically, an authenticated administrator must visit an attacker-controlled website or click a malicious link while logged into HaPe PKH. The attack surface is network-accessible with low attack complexity, making it practical for targeted social engineering campaigns against admin personnel. The CVSS 3.1 score of 5.3 (MEDIUM) reflects the requirement for user interaction and limited scope of impact.

Remediation

Upgrade HaPe PKH to a patched version released after this vulnerability's discovery. Verify the specific patch version by consulting the vendor's security advisory. As an interim measure, implement network segmentation to restrict admin access to trusted networks, enforce strong authentication mechanisms outside HaPe PKH (such as SSO or multi-factor authentication at network ingress), and educate administrators about CSRF risks and suspicious link patterns.

Patch guidance

Apply the vendor's security update for HaPe PKH immediately upon availability. Verify patch eligibility by confirming your current version (1.1) against the vendor release notes. Test patches in a non-production environment before wide deployment. If the vendor has not yet released a patch, consult the vendor advisory for an estimated timeline and interim mitigation strategies.

Detection guidance

Monitor HTTP logs for unusual POST requests to aksi_user.php originating from external referrers or lacking expected Referer headers matching your domain. Look for rapid consecutive password change operations targeting administrative accounts, particularly from different IP addresses or user sessions. Implement SIEM rules to alert on failed authentication attempts followed by successful privilege escalation or user modification events. Review audit logs in HaPe PKH for unexpected changes to admin account credentials or privilege levels.

Why prioritize this

While the CVSS score is MEDIUM (5.3), prioritization should account for the critical nature of administrative credential compromise. Any successful exploitation grants attacker parity with system administrators. Organizations with externally-facing HaPe PKH instances or where admins frequently access untrusted websites should treat this as higher priority. However, the requirement for admin interaction and lack of widespread exploitation (not on the KEV list) means this is not an emergency patch for isolated, air-gapped deployments.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:N is absent; interaction is implicit in CSRF context). Integrity impact is limited (I:L) because the attacker can modify credentials but not read sensitive data or cause denial of service through this vector. Scope is unchanged (S:U), limiting blast radius. The score does not reflect organizational risk; consider elevated priority if HaPe PKH manages critical system users.

Frequently asked questions

Can an attacker exploit this without the admin visiting a malicious site?

No. CSRF requires the victim (an authenticated admin) to visit an attacker-controlled page or click a malicious link while logged into HaPe PKH. The vulnerability cannot be exploited remotely against an idle admin account.

Does this vulnerability allow reading passwords or other sensitive data?

No. The vulnerability is limited to integrity—specifically, modifying admin credentials. It does not permit confidentiality breaches such as reading encrypted passwords or accessing user databases.

Is this vulnerability currently being exploited in the wild?

This vulnerability is not on CISA's Known Exploited Vulnerabilities (KEV) list, indicating no confirmed widespread exploitation has been reported as of the latest update. However, CSRF vulnerabilities are well-understood attack vectors, so careful monitoring remains warranted.

What should we do if we cannot patch immediately?

Implement compensating controls: restrict HaPe PKH access to trusted internal networks via firewall rules, enforce multi-factor authentication for admin accounts, educate administrators about CSRF and phishing risks, and monitor user modification audit logs for anomalies. These measures reduce attack surface while you plan patching.

This analysis is based on publicly available CVE data as of June 2026. Specific patch versions, vendor timelines, and detailed remediation steps must be verified directly with HaPe PKH vendors or official security advisories. Organizations should conduct their own risk assessments and testing before applying patches or making architectural changes. SEC.co provides this information for informational purposes and does not warrant completeness or accuracy in all deployment scenarios. Always consult official vendor resources for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).