HIGH 8.2

CVE-2018-25401 SQL Injection in Open ISES Project 3.30A: Unauthenticated Database Access

Open ISES Project version 3.30A is vulnerable to SQL injection through an unauthenticated web interface. An attacker can craft malicious database queries and send them via HTTP GET requests to the sever_graph.php endpoint, bypassing authentication entirely. This allows extraction of sensitive database schema and contents without legitimate access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25401 is an unauthenticated SQL injection vulnerability in Open ISES Project 3.30A affecting the p1 parameter of sever_graph.php. The vulnerability stems from insufficient input validation on user-supplied SQL parameters. Attackers exploit this by sending crafted GET requests containing SQL metacharacters and commands. The CVSS 3.1 score of 8.2 reflects high confidentiality impact (information disclosure), low integrity impact (potential for data modification in some injection contexts), and no availability impact. The attack vector is network-based with low complexity and requires no privileges or user interaction.

Business impact

Unauthorized database access poses significant operational and compliance risk. Attackers can exfiltrate sensitive data stored in the application database—including user information, credentials, and business logic—without detection. This exposure may trigger regulatory breach notification obligations (GDPR, HIPAA, PCI-DSS depending on data stored) and damage customer trust. In environments where Open ISES processes or stores critical operational data, information disclosure could enable follow-on attacks or competitive harm.

Affected systems

Open ISES Project version 3.30A is confirmed affected. The vulnerability requires network access to the sever_graph.php endpoint. Any deployment of this version exposed to untrusted networks (internet-facing or accessible from compromised internal systems) is at risk. Organizations should inventory all instances and assess network exposure.

Exploitability

This vulnerability is straightforward to exploit. No authentication is required, network access is the only prerequisite, and SQL injection payloads are well-understood attack primitives. Attack complexity is low—standard SQL UNION-based or boolean-blind injection techniques apply. The attack requires only HTTP GET capability and basic SQL knowledge. Exploitation can be automated with standard vulnerability scanners or custom scripts. The lack of KEV listing does not reflect difficulty; rather, active exploitation in the wild has not been formally documented to CISA at the time of this data snapshot.

Remediation

Immediate action required: upgrade Open ISES Project to a patched version. Contact the Open ISES Project maintainers or check their official repository for a release that addresses CVE-2018-25401. If an upgrade is unavailable or delayed, implement network-level controls to restrict access to sever_graph.php—use firewall rules, reverse proxy authentication, or WAF rules to block or sanitize requests to that endpoint. Parameterized queries and prepared statements should be enforced in any patched code.

Patch guidance

Verify the availability of a patched release from the Open ISES Project official sources (GitHub, project website, or security advisory). Upgrade to the earliest available version after 3.30A that includes a fix for this SQL injection. Test the patched version in a non-production environment first to ensure compatibility with your deployment. After upgrade, validate that sever_graph.php correctly rejects malicious SQL payloads and returns errors instead of database results. Document the patch date and version applied for compliance records.

Detection guidance

Monitor HTTP access logs for GET requests to sever_graph.php containing suspicious SQL syntax characters (apostrophes, semicolons, UNION, SELECT, OR, comment sequences like --, /**/). Log and alert on 4xx or 5xx responses from that endpoint, which may indicate injection attempts triggering SQL errors. Network-based IDS/IPS rules targeting SQL injection patterns in HTTP query parameters can detect exploitation attempts. Query application databases for unexpected schema access or data exports correlating with alert timestamps. If available, enable query logging on the database backend to capture injected SQL commands.

Why prioritize this

HIGH priority remediation is warranted due to the combination of unauthenticated access, high-impact information disclosure, and low exploitation complexity. Any internet-facing or network-accessible instance of Open ISES Project 3.30A should be treated as an urgent patch candidate. Internal-only deployments in segmented networks with restricted access should still be patched within normal maintenance windows but are lower tactical priority than exposed instances.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects a critical confidentiality impact (full database information disclosure) with minimal complexity or barriers to exploitation. The absence of availability impact (no denial of service) and limited integrity impact (attacker focus is on reading, not modifying) prevents a CRITICAL rating. However, unauthenticated network access combined with sensitive data exposure justifies the HIGH severity. Organizations should not underweight this based on the score alone—the practical risk is substantial for any system storing sensitive information.

Frequently asked questions

Is this vulnerability being actively exploited?

CVE-2018-25401 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild has not been formally tracked or confirmed to CISA. However, the simplicity of SQL injection attacks and the lack of authentication requirements suggest the vulnerability is likely exploitable and could be targeted opportunistically. Do not interpret the absence of a KEV listing as evidence of safety; proactive patching remains essential.

Can a firewall protect us if we cannot patch immediately?

A Web Application Firewall (WAF) or network firewall can provide temporary mitigation by blocking HTTP requests to sever_graph.php or filtering requests containing SQL injection signatures in the p1 parameter. This reduces but does not eliminate risk—sophisticated attackers may bypass simple filters. Firewall controls should be treated as a stop-gap while patch deployment is organized, not as a permanent defense.

What data is at risk if we are compromised?

An attacker exploiting this vulnerability can extract any data stored in the database accessible to the Open ISES Project application. This typically includes database schema, table names, column definitions, and all records—depending on database permissions. The scope depends on your deployment: if the application has access to sensitive user data, financial records, or credentials, all of that is at risk.

Does the patch version number appear in public advisories?

Specific patched version numbers are not provided in the current vulnerability data. Consult the official Open ISES Project GitHub repository, security advisories, or release notes to identify the first patched version. When in doubt, upgrade to the latest stable release available and verify the fix is documented in release notes before deploying to production.

This analysis is provided for informational purposes and reflects the CVE details and CVSS scoring as of the data snapshot. Patch availability, version numbers, and remediation timelines should be verified directly with the Open ISES Project maintainers or official security advisories. SEC.co makes no warranty regarding patch effectiveness or compatibility. Organizations must conduct their own risk assessment and testing before deploying patches or implementing mitigations in production environments. If you discover active exploitation or have questions specific to your environment, consult your security team or a qualified penetration testing firm. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).