CVE-2018-25395: Kados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access
Kados R10 GreenBee contains a critical SQL injection flaw in its board feature management interface. An attacker without authentication can craft a specially formatted web request targeting the feature update function to inject arbitrary SQL commands directly into the database. This allows the attacker to read sensitive data like database credentials, user information, and system details—potentially exposing the entire database to compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of boards_buttons/update_feature.php. The feature_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in boards_buttons/update_feature.php where the feature_id parameter is concatenated directly into SQL query strings without input validation or prepared statement use. An attacker can submit a GET request with a UNION-based SQL injection payload to the unprotected endpoint, bypassing the need for authentication. The injected SQL executes in the context of the database user, allowing enumeration of database metadata (current user, database name, DBMS version) and extraction of arbitrary table data. The vulnerability is classified as CWE-89 (SQL Injection).
Business impact
An attacker exploiting this vulnerability gains unauthorized read access to the entire application database without credentials. Depending on data stored in Kados R10 GreenBee, this could expose customer records, authentication tokens, configuration secrets, or other sensitive operational data. The combination of no authentication requirement and high information disclosure capability creates significant risk for data breaches and potential regulatory compliance violations (GDPR, HIPAA, etc. depending on data classification).
Affected systems
Kados R10 GreenBee is affected. No specific version ranges or patch versions have been disclosed in available sources; organizations using this product should consult the vendor advisory for definitive affected version information and remediation guidance.
Exploitability
This vulnerability is readily exploitable. It requires only network access to the affected endpoint, no authentication, and no user interaction. SQL injection payloads are well-understood attack techniques with publicly available tools and examples. The network-accessible nature (AV:N), low attack complexity (AC:L), and lack of required privileges (PR:N) make this a practical target for both opportunistic and targeted attackers.
Remediation
Immediate patching from Kados is the primary remediation. Until a patch is available, implement network-level access controls to restrict access to the boards_buttons directory to trusted networks only. Input validation and parameterized queries should be implemented by the vendor in a patch release. Organizations should verify against the vendor's official advisory for exact patch availability and version numbers.
Patch guidance
Contact Kados for patch availability and version information, or check the vendor's security advisories directly. Apply patches immediately upon release given the unauthenticated nature of the exploit. Test patches in a non-production environment before deployment. Verify patch effectiveness by confirming that direct SQL injection payloads to the feature_id parameter are no longer executed.
Detection guidance
Monitor web server logs and WAF logs for suspicious GET requests to boards_buttons/update_feature.php containing SQL keywords (UNION, SELECT, WHERE) or special characters (quotes, semicolons, dashes) in the feature_id parameter. Search for patterns like '%20UNION%20', '%27OR%271%27', or encoded variants. Implement database query logging to detect unusual SELECT statements querying system tables like information_schema. Network-based IDS/IPS signatures targeting SQL injection in HTTP parameters should be enabled.
Why prioritize this
This vulnerability merits immediate prioritization due to the combination of high confidentiality impact (C:H), unauthenticated attack surface (PR:N, UI:N), and network accessibility (AV:N). The ability to extract sensitive database contents without any credentials or user interaction creates material risk. Organizations should treat this as critical and patch or mitigate within days, not weeks.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects high confidentiality impact from database information disclosure, combined with low attack complexity and complete lack of access barriers. The integrity impact is rated as low because the vulnerability is read-focused (data extraction via UNION queries), not write-focused, though database enumeration could facilitate subsequent modifications. Availability is unaffected.
Frequently asked questions
Can an attacker modify or delete data with this vulnerability?
The SQL injection vulnerability is primarily suited for data extraction (SELECT queries) using UNION-based techniques. While theoretically a sufficiently skilled attacker could craft INSERT, UPDATE, or DELETE payloads, the vulnerability as described focuses on confidentiality. Assume worst-case and patch immediately regardless.
Do I need to be authenticated to exploit this?
No. This is an unauthenticated vulnerability. Any attacker with network access to the affected endpoint can attempt exploitation without valid credentials or user interaction.
What data is at risk?
Any data stored in the Kados R10 GreenBee database is at risk, including user accounts, potentially hashed or plaintext credentials, configuration data, and application-specific business data. The exact scope depends on your deployment and data model.
Is there a public exploit available?
No active public exploit code has been disclosed as of the publication date. However, SQL injection exploitation techniques are well-documented, and functional exploits could be developed quickly by motivated attackers.
This analysis is provided for informational and defensive purposes. No exploit code, proof-of-concept demonstrations, or weaponized attack instructions are included. Organizations should verify all patch versions, vendor advisories, and affected product scope directly with Kados before taking remediation actions. This vulnerability intelligence does not constitute security audit findings or compliance guidance specific to your environment. Test all patches and mitigations in non-production systems before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25398HIGHUnauthenticated SQL Injection in Open ISES Project 3.30A