HIGH 8.2

CVE-2018-25395: Kados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access

Kados R10 GreenBee contains a critical SQL injection flaw in its board feature management interface. An attacker without authentication can craft a specially formatted web request targeting the feature update function to inject arbitrary SQL commands directly into the database. This allows the attacker to read sensitive data like database credentials, user information, and system details—potentially exposing the entire database to compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of boards_buttons/update_feature.php. The feature_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in boards_buttons/update_feature.php where the feature_id parameter is concatenated directly into SQL query strings without input validation or prepared statement use. An attacker can submit a GET request with a UNION-based SQL injection payload to the unprotected endpoint, bypassing the need for authentication. The injected SQL executes in the context of the database user, allowing enumeration of database metadata (current user, database name, DBMS version) and extraction of arbitrary table data. The vulnerability is classified as CWE-89 (SQL Injection).

Business impact

An attacker exploiting this vulnerability gains unauthorized read access to the entire application database without credentials. Depending on data stored in Kados R10 GreenBee, this could expose customer records, authentication tokens, configuration secrets, or other sensitive operational data. The combination of no authentication requirement and high information disclosure capability creates significant risk for data breaches and potential regulatory compliance violations (GDPR, HIPAA, etc. depending on data classification).

Affected systems

Kados R10 GreenBee is affected. No specific version ranges or patch versions have been disclosed in available sources; organizations using this product should consult the vendor advisory for definitive affected version information and remediation guidance.

Exploitability

This vulnerability is readily exploitable. It requires only network access to the affected endpoint, no authentication, and no user interaction. SQL injection payloads are well-understood attack techniques with publicly available tools and examples. The network-accessible nature (AV:N), low attack complexity (AC:L), and lack of required privileges (PR:N) make this a practical target for both opportunistic and targeted attackers.

Remediation

Immediate patching from Kados is the primary remediation. Until a patch is available, implement network-level access controls to restrict access to the boards_buttons directory to trusted networks only. Input validation and parameterized queries should be implemented by the vendor in a patch release. Organizations should verify against the vendor's official advisory for exact patch availability and version numbers.

Patch guidance

Contact Kados for patch availability and version information, or check the vendor's security advisories directly. Apply patches immediately upon release given the unauthenticated nature of the exploit. Test patches in a non-production environment before deployment. Verify patch effectiveness by confirming that direct SQL injection payloads to the feature_id parameter are no longer executed.

Detection guidance

Monitor web server logs and WAF logs for suspicious GET requests to boards_buttons/update_feature.php containing SQL keywords (UNION, SELECT, WHERE) or special characters (quotes, semicolons, dashes) in the feature_id parameter. Search for patterns like '%20UNION%20', '%27OR%271%27', or encoded variants. Implement database query logging to detect unusual SELECT statements querying system tables like information_schema. Network-based IDS/IPS signatures targeting SQL injection in HTTP parameters should be enabled.

Why prioritize this

This vulnerability merits immediate prioritization due to the combination of high confidentiality impact (C:H), unauthenticated attack surface (PR:N, UI:N), and network accessibility (AV:N). The ability to extract sensitive database contents without any credentials or user interaction creates material risk. Organizations should treat this as critical and patch or mitigate within days, not weeks.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects high confidentiality impact from database information disclosure, combined with low attack complexity and complete lack of access barriers. The integrity impact is rated as low because the vulnerability is read-focused (data extraction via UNION queries), not write-focused, though database enumeration could facilitate subsequent modifications. Availability is unaffected.

Frequently asked questions

Can an attacker modify or delete data with this vulnerability?

The SQL injection vulnerability is primarily suited for data extraction (SELECT queries) using UNION-based techniques. While theoretically a sufficiently skilled attacker could craft INSERT, UPDATE, or DELETE payloads, the vulnerability as described focuses on confidentiality. Assume worst-case and patch immediately regardless.

Do I need to be authenticated to exploit this?

No. This is an unauthenticated vulnerability. Any attacker with network access to the affected endpoint can attempt exploitation without valid credentials or user interaction.

What data is at risk?

Any data stored in the Kados R10 GreenBee database is at risk, including user accounts, potentially hashed or plaintext credentials, configuration data, and application-specific business data. The exact scope depends on your deployment and data model.

Is there a public exploit available?

No active public exploit code has been disclosed as of the publication date. However, SQL injection exploitation techniques are well-documented, and functional exploits could be developed quickly by motivated attackers.

This analysis is provided for informational and defensive purposes. No exploit code, proof-of-concept demonstrations, or weaponized attack instructions are included. Organizations should verify all patch versions, vendor advisories, and affected product scope directly with Kados before taking remediation actions. This vulnerability intelligence does not constitute security audit findings or compliance guidance specific to your environment. Test all patches and mitigations in non-production systems before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).