HIGH 7.1

CVE-2018-25392: SQL Injection in MaxOn ERP Software 8.x-9.x

MaxOn ERP Software versions 8.x through 9.x contain a SQL injection flaw that lets authenticated users inject malicious SQL commands through specific parameters in the activity logging function. An attacker with valid credentials can craft POST requests to extract sensitive database information such as version numbers and database names. While exploitation requires authentication, the impact—unauthorized access to database structure and sensitive data—represents a meaningful security risk for organizations running these versions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25392 is a SQL injection vulnerability (CWE-89) in MaxOn ERP Software affecting versions 8.x and 9.x. The vulnerability exists in the log_activity function, which fails to properly sanitize user-supplied input in the nomor, user, and jenis parameters. An authenticated attacker can send a POST request to /index.php/user/log_activity containing crafted SQL payloads to execute arbitrary queries against the backend database. This enables information disclosure, including database version and naming details, which can be leveraged for further attack planning.

Business impact

For organizations using MaxOn ERP Software, this vulnerability poses a moderate but concrete risk. Authenticated insiders or attackers who have obtained valid credentials can access sensitive database metadata and potentially retrieve confidential business data stored in the ERP system—customer records, financial transactions, inventory data, or proprietary information. In regulated industries (finance, healthcare, retail), such unauthorized data access may trigger compliance violations and breach notification obligations. The requirement for authentication raises the bar somewhat, but insider threats and credential compromise remain credible attack vectors.

Affected systems

MaxOn ERP Software versions 8.x and 9.x are affected. Organizations should verify their deployed version against the vendor's release documentation. The vulnerability is specific to the log_activity endpoint and the parameters it processes, so systems running unpatched versions in this range are in scope. Earlier versions (7.x and below) and versions after 9.x (if released) should be verified against vendor advisories to confirm in-scope or out-of-scope status.

Exploitability

Exploitation requires valid user credentials—the vulnerability is not remotely exploitable without authentication. An attacker would need either internal access, compromised user accounts, or successful credential theft. Once authenticated, the attack is straightforward: crafting a malicious POST request with SQL injection payloads in the specified parameters. The low attack complexity (AC:L) and network-accessible endpoint mean that exploitation is practical for anyone with valid access. The absence of user interaction (UI:N) removes friction from the attack chain.

Remediation

Organizations should apply vendor security patches as soon as they become available. Until patches are deployed, consider limiting access to MaxOn ERP administrative interfaces, enforcing strong credential policies to reduce the risk of account compromise, and implementing database-level access controls to constrain what authenticated accounts can query. Additionally, monitor database query logs for suspicious SQL patterns that might indicate exploitation attempts.

Patch guidance

Verify the latest available patch version for MaxOn ERP Software against the vendor's security advisory and release notes. Apply patches in a controlled manner—first to non-production environments, then to production during a maintenance window. Confirm that the patch addresses the log_activity function and the nomor, user, and jenis parameters. Test application functionality after patching to ensure no regressions. Document the patch version and deployment date for compliance and audit purposes.

Detection guidance

Monitor incoming POST requests to /index.php/user/log_activity for suspicious patterns in the nomor, user, and jenis parameters—look for SQL keywords, quotes, semicolons, or comment syntax that deviate from expected input. Log and alert on database queries executed by the ERP application that contain UNION, SELECT INTO, or other data-exfiltration SQL constructs. Review database access logs for unusual query volume or structure originating from authenticated ERP accounts. Implement Web Application Firewall (WAF) rules to block requests containing common SQL injection payloads.

Why prioritize this

This vulnerability merits medium-to-high priority due to its HIGH CVSS score (7.1), which reflects high confidentiality impact and the network-accessible nature of the vulnerable endpoint. While authentication is required (lowering exploitability somewhat), insider threats and credential compromise are realistic scenarios. The vulnerability enables direct data exfiltration from the ERP system, affecting business-critical information. Organizations should treat patching as urgent, especially if the ERP system stores financial, customer, or other sensitive data.

Risk score, explained

The CVSS 3.1 score of 7.1 (HIGH severity) is driven by: high confidentiality impact (C:H)—successful exploitation allows unauthorized database access; low integrity impact (I:L)—limited ability to modify data; no availability impact (A:N); network vector (AV:N)—the vulnerable endpoint is accessible over the network; low attack complexity (AC:L)—standard SQL injection techniques suffice; and low privileges required (PR:L)—valid credentials are needed. The unchanged scope (S:U) limits cross-boundary impact. The overall score reflects meaningful risk to data confidentiality without critical system disruption potential.

Frequently asked questions

Do I need valid credentials to exploit this vulnerability?

Yes. The vulnerability requires an authenticated user account in MaxOn ERP Software. However, this does not eliminate risk—compromised credentials, insider threats, and account sharing are realistic attack vectors in many organizations.

What types of data can an attacker access?

Through SQL injection in the log_activity function, an attacker can extract database metadata (version, database names) and potentially query any data the ERP database account has permission to access, including customer records, transactions, and business data.

Is there a public exploit or KEV entry for this vulnerability?

No. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code has been identified. However, the absence of public exploit code does not guarantee security—SQL injection is a well-understood attack class.

How should I prioritize patching this against other vulnerabilities?

Given the HIGH CVSS score and the access to sensitive ERP data, prioritize this within your high-risk patch queue. If MaxOn provides a patch, apply it within 2-4 weeks unless your organization has compensating controls (e.g., strict network segmentation or database-level restrictions on ERP user accounts).

This analysis is provided for informational purposes and reflects publicly available information as of the publication date. Vulnerability details, patch availability, and vendor guidance may change. Organizations should verify all patch versions, affected product ranges, and remediation steps against official MaxOn ERP vendor advisories and security notices. SEC.co makes no warranty regarding the accuracy, completeness, or applicability of this analysis to your specific environment. Always conduct your own risk assessment and testing before deploying patches or security controls in production. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).