HIGH 8.2

CVE-2018-25399: Unauthenticated SQL Injection in Open ISES Project 3.30A

Open ISES Project version 3.30A contains an SQL injection flaw in its nearby.php endpoint that lets unauthenticated attackers inject malicious SQL commands through two URL parameters: tick_lat and tick_lng. An attacker can craft a simple GET request to extract sensitive information from the underlying database, such as usernames, database identifiers, and version numbers. No authentication is required, and exploitation is straightforward—making this a high-severity issue for any organization running this software.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25399 is an unauthenticated SQL injection vulnerability (CWE-89) in Open ISES Project 3.30A affecting the nearby.php script. The tick_lat and tick_lng parameters are not properly sanitized before being incorporated into SQL queries, allowing attackers to submit crafted payloads via GET requests. Successful exploitation enables arbitrary SQL query execution, leading to unauthorized database access and information disclosure. The CVSS v3.1 score of 8.2 (HIGH) reflects the network-accessible nature, low attack complexity, and high confidentiality impact, tempered only by limited integrity impact and no availability impact.

Business impact

Unauthorized database disclosure exposes usernames and other sensitive metadata, creating immediate risks for credential compromise and targeted social engineering. If Open ISES Project stores user authentication data, financial records, or other regulated information, a breach could trigger compliance violations (GDPR, HIPAA, PCI-DSS depending on data classification). The reputational damage and incident response costs associated with a public SQL injection incident in a geolocation-based system could be substantial. Organizations should treat this as a priority given the ease of exploitation and the lack of any barrier to attack.

Affected systems

Open ISES Project version 3.30A is confirmed affected. Older and newer versions should be checked against the vendor's advisory, as the scope of affected releases may extend beyond 3.30A. Any deployment of Open ISES Project exposed to untrusted network traffic—particularly internet-facing instances—is at immediate risk. Organizations running earlier or later builds should verify their version against official vendor documentation before assuming they are outside the impact zone.

Exploitability

This vulnerability scores very high on exploitability. No authentication is required, the attack surface is a simple HTTP GET parameter, the complexity is low, and proof-of-concept code has likely circulated in security communities. An attacker requires only the URL to nearby.php and basic SQL injection knowledge. Automated scanners can easily detect the flaw. The main factors preventing wider abuse are likely detection and incident response rather than technical barriers. Expect active exploitation if this CVE becomes widely known.

Remediation

Immediately patch Open ISES Project to a version confirmed by the vendor to contain SQL injection fixes. Until patching is feasible, apply web application firewall (WAF) rules to block requests containing SQL injection patterns in tick_lat and tick_lng parameters, or restrict network access to nearby.php to authorized IP ranges only. Input validation and parameterized queries should be implemented in any updated code. Consider conducting a forensic review of access logs to identify whether the vulnerability has been exploited prior to remediation.

Patch guidance

Consult the official Open ISES Project vendor advisory or security page for confirmed patched versions and upgrade instructions. Verify the patch resolves SQL injection in nearby.php before deployment. Test thoroughly in a non-production environment to ensure compatibility with your configuration. Apply patches during a maintenance window and monitor logs post-deployment for any anomalies. If no patch is immediately available, implement the interim controls outlined in the remediation section.

Detection guidance

Monitor web server access logs for GET requests to nearby.php containing SQL metacharacters (single quotes, semicolons, 'OR', 'UNION', 'SELECT', etc.) in tick_lat or tick_lng parameters. Implement alerting on such patterns. Database activity monitoring (DAM) solutions should flag unusual query patterns or access from the application layer. Network-based intrusion detection can be tuned to recognize common SQL injection payloads. Conduct log reviews of the past 6–12 months if this vulnerability was recently disclosed to identify retrospective evidence of compromise.

Why prioritize this

This vulnerability merits urgent remediation due to the combination of unauthenticated access, high-severity CVSS score (8.2), ease of exploitation, and direct database compromise. The attack requires no user interaction and no special privileges. Database exposure—even of metadata—creates downstream risks for credential harvesting and lateral movement. Because it is not yet on the KEV catalog, the urgency depends on your organization's exposure and data sensitivity, but should not be deprioritized based on low public awareness.

Risk score, explained

The CVSS v3.1 score of 8.2 reflects a HIGH severity rating driven by network accessibility (AV:N), low attack complexity (AC:L), no authentication required (PR:N), and high confidentiality impact (C:H). The integrity and availability impacts are rated as low and none, respectively, because SQL injection here is primarily an information-disclosure vector. Organizations with internet-facing Open ISES Project deployments or those processing sensitive data should treat this as critical; internal-only deployments face lower risk but should still prioritize patching.

Frequently asked questions

Is there a public exploit for CVE-2018-25399?

The vulnerability description confirms that SQL injection payloads can be delivered via GET requests to nearby.php. While no weaponized proof-of-concept code is provided in this advisory, SQL injection exploitation techniques are well-documented in the security community. Any organization running affected versions should assume exploitation is feasible and act accordingly.

Does this vulnerability require authentication?

No. This is an unauthenticated vulnerability. Any attacker with network access to the nearby.php endpoint can attempt exploitation without credentials or valid user sessions.

What data can an attacker extract using this vulnerability?

According to the CVE description, attackers can extract usernames, database names, and version details. Depending on database permissions and schema, broader data sets may be accessible. A forensic investigation should be conducted to determine what was actually accessible in your environment.

Is there a workaround if I cannot patch immediately?

Yes. Implement a web application firewall to block requests containing SQL injection patterns in the tick_lat and tick_lng parameters. You can also restrict network access to the nearby.php endpoint to known, trusted IP addresses. These are interim measures only; patches should be applied as soon as the vendor releases them.

This advisory is provided for informational purposes and represents the current understanding of CVE-2018-25399 based on available public information as of the date of publication. SEC.co does not provide warranties regarding the accuracy or completeness of this analysis. Organizations should verify all technical details, patch availability, and affected versions directly with the Open ISES Project vendor or official security advisories before taking remediation action. Timelines, patch versions, and vendor guidance may change; please refer to the vendor's official channels for the most current information. This analysis does not constitute professional security advice; consult with your organization's security team or a qualified security consultant for advice specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).