HIGH 8.2

CVE-2018-25398: Unauthenticated SQL Injection in Open ISES Project 3.30A

CVE-2018-25398 is an unauthenticated SQL injection vulnerability in Open ISES Project version 3.30A. An attacker can craft malicious database queries and submit them through the frm_passwd parameter in POST requests to main.php, bypassing authentication entirely. This allows extraction of sensitive database contents—usernames, database names, system versions—without needing valid credentials. The vulnerability is remotely exploitable with no special conditions required.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient input validation on the frm_passwd parameter processed by main.php. User-supplied input is concatenated directly into SQL queries without parameterization or escaping, enabling classical SQL injection (CWE-89). An unauthenticated attacker can inject arbitrary SQL syntax to alter query logic, extract data via UNION-based or error-based techniques, or potentially modify database contents. The attack surface is the network-accessible POST handler with no prior authentication gate.

Business impact

Successful exploitation results in unauthorized access to application and backend database credentials, user account information, and potentially sensitive business data stored in the database. For organizations running Open ISES Project 3.30A in production, this creates immediate risk of account compromise, data theft, and lateral movement into connected systems. The low barrier to exploitation (no authentication, no user interaction) means exposure begins the moment the application is internet-facing.

Affected systems

Open ISES Project version 3.30A is affected. The vulnerability requires the application to be running and network-accessible. Organizations should inventory instances of this software in their environment, including development, testing, and staging systems, as each represents a potential entry point for credential harvesting.

Exploitability

The CVSS 3.1 score of 8.2 (HIGH) reflects the ease and impact of exploitation. The attack vector is network-based, no authentication is required, attack complexity is low, and no user interaction is needed. An attacker can automate discovery and exploitation using standard SQL injection testing tools. Public awareness of the vulnerability and relative simplicity of SQL injection payloads mean exploit activity should be anticipated, though no public proof-of-concept is being promoted here.

Remediation

Immediate action is required. Organizations must upgrade Open ISES Project to a patched version released after the vulnerability disclosure. If a direct patch is unavailable, the application should be taken offline or moved behind network segmentation that restricts access to trusted internal networks only. As an interim control, disable or restrict POST access to main.php at the web application firewall or reverse proxy level if business operations permit.

Patch guidance

Check the Open ISES Project vendor advisory and release notes for a version numbered after 3.30A that explicitly addresses CVE-2018-25398. Apply patches during a maintenance window and verify the fix by reviewing the vendor's patch documentation. Confirm the application is fully restarted after patching. Test in a staging environment first to ensure no regression in functionality before production deployment.

Detection guidance

Monitor POST requests to main.php for SQL syntax keywords (SELECT, UNION, OR, --) in the frm_passwd parameter. Deploy a WAF rule set to block common SQL injection patterns. Review application logs and database query logs for suspicious activity dating back to the application's deployment date. Search for successful login events using database credentials that were not previously known to be compromised; if found, those systems were exploited before detection and require credential rotation and forensic review.

Why prioritize this

This vulnerability merits immediate remediation. The combination of unauthenticated access, ease of exploitation, and high impact (confidentiality breach, partial integrity risk) creates pressing operational risk. No authentication barrier means any external-facing instance is vulnerable from day one. The CVSS HIGH rating and the confirmed attack vector align with organizational security baselines that typically demand expedited patching for network-accessible flaws affecting confidential data.

Risk score, explained

CVSS 3.1 score 8.2 reflects: (1) Network attack vector—exploitation requires only network access, no physical access or legitimate account needed; (2) Low attack complexity—no special setup, tools, or timing required; (3) No privileges required—unauthenticated attacker can trigger the flaw; (4) No user interaction—attack succeeds without tricking users; (5) High confidentiality impact—sensitive data (credentials, usernames, versions) is directly exfiltrable; (6) Low integrity impact—attacker can modify some data but full write access is not confirmed; (7) No availability impact—DoS is not a stated consequence. The score does not include ransomware or active KEV status factors, which remain absent from this disclosure.

Frequently asked questions

Can this vulnerability be exploited without network access to the application?

No. The vulnerability requires the attacker to send HTTP POST requests directly to main.php, so the application must be network-reachable. However, if the application is internet-facing (which many projects are), no additional authentication or privilege is needed to launch an attack.

What data is at risk if this vulnerability is exploited?

An attacker can extract any data stored in the database that the application's database user account has permission to read, including usernames, password hashes or plaintext credentials (depending on storage), database names, version information, and application-specific data. The exact scope depends on the database schema and what sensitive information the organization stores.

Is there a temporary fix if we cannot patch immediately?

Temporary mitigations include: (1) restricting network access to main.php to internal/trusted IPs only via firewall rules; (2) deploying WAF rules to block SQL injection payloads in POST parameters; (3) disabling the affected functionality if business logic permits. These are stop-gap measures only and should not replace a full patch as soon as one is available.

Does this vulnerability require the attacker to have a valid user account?

No. The vulnerability is explicitly unauthenticated—no login credentials or valid account are required. An attacker can exploit it directly from the internet (if the application is exposed) or from inside a network if the application is internal-only.

This analysis is provided for informational purposes. The vulnerability details and CVSS score are drawn from authoritative sources including the CVE Record and vendor advisories. Organizations must verify patch availability and applicability with the Open ISES Project vendor and test patches in staging environments before production deployment. SEC.co does not guarantee the completeness or timeliness of this analysis and recommends cross-referencing vendor advisories and security bulletins for the latest information. No exploit code or weaponized proof-of-concept is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).