HIGH 7.5

CVE-2018-25391: HaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability

HaPe PKH 1.1 contains a critical authorization bypass flaw that allows anyone on the internet to delete administrative records without logging in or proving identity. An attacker can craft simple requests to remove administrator accounts and system updates by directly specifying which records to delete. The application fails to verify whether the requester has permission to perform these destructive actions, making it trivial to sabotage the system's core administrative functions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25391 is an authorization bypass vulnerability in HaPe PKH 1.1 affecting two deletion endpoints: admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus). Both endpoints accept record identifiers in requests but do not validate authentication or authorization context before processing deletions. An unauthenticated attacker can send crafted HTTP requests to delete pengurus (administrator) records and system update records. The vulnerability stems from insufficient access control enforcement (CWE-862) at the application logic layer, where delete operations proceed without checking the requester's identity or role.

Business impact

Unauthorized deletion of administrative accounts undermines user access management and governance, potentially locking out legitimate administrators and disrupting operational oversight. Deletion of update records can sabotage system patch management, leaving the application vulnerable to other known exploits and preventing timely security updates. An attacker could rapidly degrade system integrity, cause denial of service to administrative functions, and force costly incident response and database restoration efforts. Organizations relying on HaPe PKH 1.1 for critical administrative workflows face high risk of business interruption.

Affected systems

HaPe PKH version 1.1 is affected. Verify whether your organization uses this application and version. If you maintain or depend on HaPe PKH deployments—particularly in administrative or multi-tenant environments where record integrity is critical—this vulnerability poses direct risk to your systems.

Exploitability

Exploitability is extremely high. The vulnerability requires no authentication, no special network positioning, and no user interaction. An attacker needs only network access to the application and knowledge of the vulnerable endpoint paths and parameter structure—details readily available through basic reconnaissance. Exploitation can be weaponized through a single HTTP request, making attacks trivially automatable and detectable only through careful access logging. The lack of complexity, combined with the destructive nature of the action, creates significant risk.

Remediation

Upgrade HaPe PKH immediately to a patched version released after this vulnerability disclosure. Verify the exact patch version against the vendor's official advisory. Until patching is complete, implement strict network segmentation to restrict access to the admin interface to trusted IP ranges, enforce authentication at the reverse proxy or WAF layer, and deploy request filtering rules that block suspicious delete operations from unauthenticated sources. Monitor and audit all deletion requests to the vulnerable endpoints in real time.

Patch guidance

Check the official HaPe PKH vendor advisory for the patched version addressing CVE-2018-25391. Apply the patch to all affected instances of version 1.1 in your environment as an emergency priority. Verify the patch installation by confirming the application version in the admin interface or changelog. Test deletion endpoints in a staging environment to confirm authorization checks are now enforced before deploying to production. Document the patching timeline for compliance and incident response records.

Detection guidance

Monitor HTTP access logs for unauthenticated requests to admin/modul/mod_pengurus/aksi_pengurus.php and admin/modul/mod_update/aksi_update.php endpoints, particularly those containing the 'act=hapus' parameter. Alert on successful HTTP 200 responses to these paths from unauthenticated sources. Implement application-level logging that records deletion events with the requester's authentication status and user ID. Check for gaps in deletion records or unexpected removal of administrator accounts or update entries. Compare current administrator counts and update records against recent backups to detect silent deletions.

Why prioritize this

This vulnerability merits immediate remediation due to the combination of high CVSS score (7.5), complete lack of authentication barriers, and direct impact on system integrity and administrative control. Unlike many authorization flaws that affect data confidentiality, this one enables destructive actions that can render systems operationally unavailable and compromise governance. The trivial exploitability means threat actors require minimal sophistication to weaponize it, and the reputational and operational damage from deleted admin accounts or sabotaged updates is severe.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, and User Interaction: None, yielding high impact to system integrity (Integrity: High) but no confidentiality or availability impact in the base vector. In practical terms, the integrity impact is severe because deletion of administrative records and system updates fundamentally compromises system control and security posture. The lack of authentication and automation potential elevate real-world risk beyond the base score for organizations with public-facing HaPe PKH instances.

Frequently asked questions

Can an attacker delete all administrator accounts at once?

Yes. If the attacker can enumerate or predict administrator record IDs, they can issue multiple delete requests to remove multiple accounts in rapid succession. This could potentially lock out all administrative access, triggering a denial-of-service condition for management functions.

Does this vulnerability affect data confidentiality or expose sensitive information?

No. The vulnerability does not expose data or enable unauthorized reading of records. The impact is limited to unauthorized deletion (integrity) and potential service disruption. However, the destruction of update records can indirectly leave the system open to other vulnerabilities that could compromise confidentiality.

Is there a workaround if I cannot patch immediately?

No complete workaround exists, but risk can be reduced by restricting network access to the admin interface via firewall rules, IP whitelisting, or a WAF that blocks unauthenticated requests to the vulnerable endpoints. However, these mitigations are temporary and do not replace patching.

How can I tell if my instance has been exploited?

Check your web server access logs for unusual DELETE or POST requests to the vulnerable endpoint paths (aksi_pengurus.php and aksi_update.php) from external or unauthenticated sources. Compare your current administrator account list and update records against known good snapshots from before the vulnerability disclosure date.

This analysis is provided for informational purposes to support vulnerability assessment and risk management. It is not a substitute for vendor advisories, security research, or professional incident response services. Verify all technical details, affected versions, and patch availability against official vendor documentation before taking remediation actions. SEC.co makes no warranty regarding the accuracy or completeness of this information and assumes no liability for decisions made in reliance upon it. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).