CVE-2018-25400: Unauthenticated SQL Injection in Open ISES Project 3.30A
Open ISES Project version 3.30A contains an unauthenticated SQL injection vulnerability in its form submission endpoint. An attacker can craft malicious SQL code and send it through a web request to extract sensitive information from the application's database without needing valid credentials. The vulnerability requires no user interaction and can be exploited over the network, making it a significant remote threat.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL payloads to extract sensitive database information including schema names and other data.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25400 is an unauthenticated SQL injection vulnerability (CWE-89) located in the ajax/form_post.php endpoint of Open ISES Project 3.30A. The 'id' parameter fails to properly sanitize or parameterize user input before incorporating it into SQL queries. This permits attackers to inject arbitrary SQL commands via GET requests, potentially leading to unauthorized database enumeration and data extraction. The CVSS 3.1 score of 8.2 (HIGH) reflects the high confidentiality impact, low integrity impact, and network-accessible attack surface with no authentication required.
Business impact
A successful exploitation could expose sensitive database contents, including schema information, user records, or business-critical data depending on database permissions and content. This exposure could lead to regulatory compliance violations (GDPR, PCI-DSS, HIPAA, etc.), reputational harm, and potential follow-on attacks leveraging exposed credentials or system details. Organizations running Open ISES Project 3.30A in production face immediate risk of unauthorized data disclosure.
Affected systems
Open ISES Project version 3.30A is affected. Organizations should inventory all instances of this application in their environment, including development, testing, and production deployments. Any system exposing the ajax/form_post.php endpoint to untrusted networks is at risk.
Exploitability
This vulnerability has a low barrier to exploitation. No authentication is required, the attack vector is network-based, and the attack complexity is low—a simple HTTP GET request with a SQL payload is sufficient. Exploitation does not require user interaction. However, the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active exploitation in the wild has not been formally documented as of the intelligence publication date.
Remediation
Upgrade Open ISES Project to a patched version released after this vulnerability was disclosed. If an immediate upgrade is not feasible, implement network-level controls such as Web Application Firewall (WAF) rules to block suspicious SQL injection patterns in the 'id' parameter, restrict access to the ajax/form_post.php endpoint to trusted networks only, and apply input validation rules at the application layer. Verify the specific patched version against the vendor's official security advisory.
Patch guidance
Contact the Open ISES Project maintainers or consult their official security advisories for the recommended patched version. Apply patches promptly in a tested environment before deploying to production. Given the high severity and ease of exploitation, patching should be prioritized in your change management process.
Detection guidance
Monitor HTTP access logs for GET requests to ajax/form_post.php containing SQL keywords (SELECT, UNION, DROP, INSERT, OR, AND, etc.) in the 'id' parameter or other URL-encoded equivalents. Implement Web Application Firewall rules to detect and block SQL injection payloads. Review database query logs for unusual or repeated failed queries, which may indicate reconnaissance. Correlation of these signals with external scanning or vulnerability scanner activity may indicate active reconnaissance.
Why prioritize this
This vulnerability merits immediate remediation priority due to the combination of high CVSS score (8.2), complete lack of authentication requirement, network-accessible attack surface, and low exploitation complexity. The confidentiality impact is high, meaning sensitive data exposure is the primary risk. Organizations should treat this as urgent unless the affected application is air-gapped or not internet-facing.
Risk score, explained
The CVSS 3.1 score of 8.2 reflects a network-accessible vulnerability requiring no credentials or user interaction, resulting in high confidentiality impact. The score is tempered slightly because integrity and availability impacts are limited—the attacker can read data but cannot easily modify or disrupt service. In contexts where the database contains highly sensitive information (PII, financial data, secrets), the real-world risk may be perceived as even higher than the base CVSS suggests.
Frequently asked questions
Does this vulnerability require the attacker to be authenticated?
No. One of the critical aspects of CVE-2018-25400 is that it can be exploited by unauthenticated attackers. No valid credentials or session are required to launch an attack, significantly lowering the barrier to exploitation.
Is there active exploitation of this vulnerability in the wild?
CVE-2018-25400 is not currently listed in the CISA Known Exploited Vulnerabilities catalog as of the published intelligence date. However, the simplicity of SQL injection attacks and the age of the vulnerability mean that reliable exploitation code likely exists in public repositories or attacker toolkits.
What data is at risk if we run Open ISES Project 3.30A?
Any data stored in the database accessible to the application's database user is at risk, including schema names, table names, usernames, and potentially sensitive application data. The actual scope depends on what information is stored and the database permissions assigned to the application account. In worst-case scenarios, attackers can extract customer data, credentials, or business intelligence.
Can we mitigate this without upgrading immediately?
Temporary mitigation is possible through network controls: restrict access to ajax/form_post.php to trusted IP ranges, deploy a Web Application Firewall to block SQL injection patterns, and disable the vulnerable endpoint if it is not critical to operations. However, these are stopgaps—upgrading to a patched version is the only permanent fix.
This analysis is provided for informational purposes and does not constitute legal or professional security advice. Organizations should consult with their own security teams and the Open ISES Project vendors for vendor-specific guidance, patch availability, and compatibility testing. CVSS scores, timelines, and exploitation status are accurate as of the publication date and may change as new information becomes available. Always validate patch versions and compatibility in your environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access