CVE-2018-25398: Unauthenticated SQL Injection in Open ISES Project 3.30A
CVE-2018-25398 is an unauthenticated SQL injection vulnerability in Open ISES Project version 3.30A. An attacker can craft malicious database queries and submit them through the frm_passwd parameter in POST requests to main.php, bypassing authentication entirely. This allows extraction of sensitive database contents—usernames, database names, system versions—without needing valid credentials. The vulnerability is remotely exploitable with no special conditions required.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input validation on the frm_passwd parameter processed by main.php. User-supplied input is concatenated directly into SQL queries without parameterization or escaping, enabling classical SQL injection (CWE-89). An unauthenticated attacker can inject arbitrary SQL syntax to alter query logic, extract data via UNION-based or error-based techniques, or potentially modify database contents. The attack surface is the network-accessible POST handler with no prior authentication gate.
Business impact
Successful exploitation results in unauthorized access to application and backend database credentials, user account information, and potentially sensitive business data stored in the database. For organizations running Open ISES Project 3.30A in production, this creates immediate risk of account compromise, data theft, and lateral movement into connected systems. The low barrier to exploitation (no authentication, no user interaction) means exposure begins the moment the application is internet-facing.
Affected systems
Open ISES Project version 3.30A is affected. The vulnerability requires the application to be running and network-accessible. Organizations should inventory instances of this software in their environment, including development, testing, and staging systems, as each represents a potential entry point for credential harvesting.
Exploitability
The CVSS 3.1 score of 8.2 (HIGH) reflects the ease and impact of exploitation. The attack vector is network-based, no authentication is required, attack complexity is low, and no user interaction is needed. An attacker can automate discovery and exploitation using standard SQL injection testing tools. Public awareness of the vulnerability and relative simplicity of SQL injection payloads mean exploit activity should be anticipated, though no public proof-of-concept is being promoted here.
Remediation
Immediate action is required. Organizations must upgrade Open ISES Project to a patched version released after the vulnerability disclosure. If a direct patch is unavailable, the application should be taken offline or moved behind network segmentation that restricts access to trusted internal networks only. As an interim control, disable or restrict POST access to main.php at the web application firewall or reverse proxy level if business operations permit.
Patch guidance
Check the Open ISES Project vendor advisory and release notes for a version numbered after 3.30A that explicitly addresses CVE-2018-25398. Apply patches during a maintenance window and verify the fix by reviewing the vendor's patch documentation. Confirm the application is fully restarted after patching. Test in a staging environment first to ensure no regression in functionality before production deployment.
Detection guidance
Monitor POST requests to main.php for SQL syntax keywords (SELECT, UNION, OR, --) in the frm_passwd parameter. Deploy a WAF rule set to block common SQL injection patterns. Review application logs and database query logs for suspicious activity dating back to the application's deployment date. Search for successful login events using database credentials that were not previously known to be compromised; if found, those systems were exploited before detection and require credential rotation and forensic review.
Why prioritize this
This vulnerability merits immediate remediation. The combination of unauthenticated access, ease of exploitation, and high impact (confidentiality breach, partial integrity risk) creates pressing operational risk. No authentication barrier means any external-facing instance is vulnerable from day one. The CVSS HIGH rating and the confirmed attack vector align with organizational security baselines that typically demand expedited patching for network-accessible flaws affecting confidential data.
Risk score, explained
CVSS 3.1 score 8.2 reflects: (1) Network attack vector—exploitation requires only network access, no physical access or legitimate account needed; (2) Low attack complexity—no special setup, tools, or timing required; (3) No privileges required—unauthenticated attacker can trigger the flaw; (4) No user interaction—attack succeeds without tricking users; (5) High confidentiality impact—sensitive data (credentials, usernames, versions) is directly exfiltrable; (6) Low integrity impact—attacker can modify some data but full write access is not confirmed; (7) No availability impact—DoS is not a stated consequence. The score does not include ransomware or active KEV status factors, which remain absent from this disclosure.
Frequently asked questions
Can this vulnerability be exploited without network access to the application?
No. The vulnerability requires the attacker to send HTTP POST requests directly to main.php, so the application must be network-reachable. However, if the application is internet-facing (which many projects are), no additional authentication or privilege is needed to launch an attack.
What data is at risk if this vulnerability is exploited?
An attacker can extract any data stored in the database that the application's database user account has permission to read, including usernames, password hashes or plaintext credentials (depending on storage), database names, version information, and application-specific data. The exact scope depends on the database schema and what sensitive information the organization stores.
Is there a temporary fix if we cannot patch immediately?
Temporary mitigations include: (1) restricting network access to main.php to internal/trusted IPs only via firewall rules; (2) deploying WAF rules to block SQL injection payloads in POST parameters; (3) disabling the affected functionality if business logic permits. These are stop-gap measures only and should not replace a full patch as soon as one is available.
Does this vulnerability require the attacker to have a valid user account?
No. The vulnerability is explicitly unauthenticated—no login credentials or valid account are required. An attacker can exploit it directly from the internet (if the application is exposed) or from inside a network if the application is internal-only.
This analysis is provided for informational purposes. The vulnerability details and CVSS score are drawn from authoritative sources including the CVE Record and vendor advisories. Organizations must verify patch availability and applicability with the Open ISES Project vendor and test patches in staging environments before production deployment. SEC.co does not guarantee the completeness or timeliness of this analysis and recommends cross-referencing vendor advisories and security bulletins for the latest information. No exploit code or weaponized proof-of-concept is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access