CVE-2018-25394: SQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
Kados R10 GreenBee contains an SQL injection flaw that allows attackers without authentication to read sensitive database information by crafting malicious web requests. The vulnerability exists in a administrative function that fails to properly validate user input, enabling an attacker to embed SQL commands directly into the system's database queries. This could expose usernames, database names, and system version details.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the release_id parameter of boards_buttons/update_release.php. The release_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in boards_buttons/update_release.php, where the release_id parameter is concatenated directly into SQL statements without input sanitization. Attackers can exploit this by sending a crafted GET request containing a UNION-based SQL injection payload. The lack of parameterized queries or prepared statements means arbitrary SQL SELECT operations can be executed against the backend database. The flaw requires no authentication, no user interaction, and no special network access—making it network-accessible to anyone with HTTP connectivity to the affected application.
Business impact
Successful exploitation enables unauthorized database reconnaissance and information disclosure. An attacker could extract user credentials, application configuration data, and other sensitive records stored in the database. While the CVSS vector indicates limited impact to data integrity and no availability impact, the high confidentiality rating reflects the risk of broad data exposure. For organizations running GreenBee in production, this creates a direct pathway for initial reconnaissance in multi-stage attacks.
Affected systems
Kados R10 GreenBee is affected. Verify your deployment version against Kados vendor advisories to confirm whether your instance requires patching.
Exploitability
This vulnerability exhibits high exploitability characteristics: network-accessible, requires no authentication or user interaction, and can be triggered via simple GET requests with injected payloads. UNION-based SQL injection techniques are well-documented and tooling is readily available. An attacker with basic web security knowledge can craft a working exploit. The primary barrier is discovering instances running GreenBee; once identified, exploitation is straightforward.
Remediation
Apply the security patch provided by Kados for R10 GreenBee. Patch availability and version numbers should be verified against the official Kados security advisory. In parallel, implement network segmentation to restrict access to administrative functions like boards_buttons/update_release.php to trusted internal networks only. Deploy a Web Application Firewall (WAF) with SQL injection detection rules as a compensating control pending patch deployment.
Patch guidance
Contact Kados support or consult their security advisories for the specific patch version addressing CVE-2018-25394. Prioritize patching given the network-accessible, unauthenticated nature of the flaw. Test patches in a non-production environment before production deployment to ensure compatibility with your GreenBee configuration. After patching, validate that the release_id parameter is properly parameterized or escaped in all database queries.
Detection guidance
Monitor HTTP access logs for suspicious GET requests to boards_buttons/update_release.php, particularly those containing SQL metacharacters (single quotes, UNION keywords, SELECT statements, comment operators like -- or /*). Look for unusual characters or encoded payloads in the release_id parameter. Implement database query logging to detect anomalous SELECT operations or access patterns originating from the web application. Network-based intrusion detection signatures for UNION-based SQL injection payloads should trigger on affected endpoints.
Why prioritize this
This vulnerability merits immediate attention due to its high CVSS score (8.2), zero authentication requirement, network accessibility, and lack of user interaction needed for exploitation. While not currently listed in CISA's Known Exploited Vulnerabilities catalog, the simplicity of the attack vector and the sensitive nature of database information at risk justify urgent patching. Organizations should treat this as a critical remediation candidate.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects: Attack Vector Network (full remote access), Attack Complexity Low (no special conditions needed), Privileges Required None (no credentials needed), User Interaction None (automatic exploitation possible), Scope Unchanged, Confidentiality High (full database disclosure possible), Integrity Low (limited write capability assumed), and Availability None (no denial-of-service vector). The score appropriately weighs the ease of exploitation against the serious but non-catastrophic impact.
Frequently asked questions
Is this vulnerability currently being exploited in the wild?
CVE-2018-25394 is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning there is no confirmed evidence of active exploitation as of the last KEV update. However, the simplicity of the attack and the disclosure of technical details mean exploitation could begin at any time. Do not delay remediation.
Can this vulnerability be exploited if GreenBee is behind a firewall or VPN?
Yes. The vulnerability is network-accessible and requires only HTTP connectivity. If an attacker can reach the boards_buttons/update_release.php endpoint—whether from inside or outside your network—they can attempt exploitation. Network segmentation and access controls should still be in place, but they are not sufficient without the patch.
What data is at risk if this vulnerability is exploited?
An attacker can extract any data stored in the GreenBee database, including user credentials, application settings, project data, and potentially integrated third-party information. The specific sensitivity depends on what your organization stores in GreenBee. Database user roles, table structures, and DBMS version information are also at risk.
Do I need to assume my database has been compromised if I've been running unpatched GreenBee?
Not necessarily, but you should conduct a forensic review of database access logs and authentication records for any signs of suspicious activity. Check for unusual queries, account creation, or privilege escalation. If you cannot confirm the system was not exploited, treat database credentials as compromised and rotate them after patching.
This analysis is provided for informational purposes by SEC.co and does not constitute legal, compliance, or commercial advice. Organizations are responsible for determining the applicability of this vulnerability to their specific deployments and for making patching decisions aligned with their risk management policies. Verify all technical details, patch availability, and remediation steps against official Kados vendor advisories before implementation. SEC.co does not provide warranty or guarantee regarding the accuracy or completeness of this analysis in your specific environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25398HIGHUnauthenticated SQL Injection in Open ISES Project 3.30A