CVE-2018-25404: SQL Injection in Open ISES Project 3.30A – Exploitation & Remediation Guide
Open ISES Project version 3.30A is vulnerable to SQL injection through its add_facnote.php endpoint. An attacker can craft malicious SQL code in the ticket_id parameter and send it via a GET request without needing to authenticate first. This allows the attacker to read sensitive data directly from the database, including version information and other confidential records. The vulnerability requires no special conditions—any internet-connected instance of the software is at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to extract sensitive database information including version details and other data.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25404 is an unauthenticated SQL injection vulnerability in the ticket_id parameter of add_facnote.php in Open ISES Project 3.30A. The application fails to sanitize or parameterize user input before constructing SQL queries, enabling attackers to inject arbitrary SQL statements via GET requests. The CVSS 3.1 vector (8.2/HIGH) reflects network accessibility, low attack complexity, no authentication requirement, and high confidentiality impact with limited integrity risk. This is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Business impact
Compromise of an Open ISES Project installation could result in unauthorized exposure of ticket data, user records, and other database contents depending on application scope. For organizations using this software to manage sensitive administrative or operational workflows, the breach could facilitate identity theft, compliance violations, or further lateral attacks. The lack of authentication requirement means external attackers can exploit this without internal access or credentials.
Affected systems
Open ISES Project version 3.30A is the confirmed affected release. Organizations running this version with internet-facing or internal network access to add_facnote.php are at direct risk. Verify your deployment version and assess whether this endpoint is accessible from untrusted networks. No vendor or product details are currently available in the source data; consult the official Open ISES Project channels for complete compatibility information.
Exploitability
Exploitability is high. The vulnerability requires no authentication, no user interaction, and no special network conditions—only the ability to send a crafted GET request to the vulnerable endpoint. Attack complexity is low; standard SQL injection techniques apply. Public disclosure and the straightforward attack vector mean the barrier to exploitation is minimal, though active exploitation in the wild is not currently tracked in the KEV catalog.
Remediation
Immediate action is required. First, identify all running instances of Open ISES Project 3.30A and assess network exposure. Isolate or restrict access to add_facnote.php and the application itself until a patch is confirmed available. As a temporary measure, implement Web Application Firewall (WAF) rules to block SQL injection payloads in the ticket_id parameter. Verify that any available patch or newer version from the Open ISES Project addresses this vulnerability before deployment. After patching, conduct database integrity checks and review logs for signs of exploitation.
Patch guidance
Consult the official Open ISES Project repository, security advisories, and vendor communications for confirmed patch versions addressing CVE-2018-25404. Patches should include input validation and parameterized query use for the ticket_id parameter in add_facnote.php. Before applying any patch, test in a non-production environment and verify that the fix does not introduce regression. If no official patch is available, evaluate alternative versions or alternate products and prepare a migration plan.
Detection guidance
Monitor application and WAF logs for GET requests to add_facnote.php containing SQL keywords or special characters (single quotes, dashes, parentheses, UNION, SELECT, etc.) in the ticket_id parameter. Look for error messages indicating SQL syntax issues in application responses. Implement network segmentation to limit exposure of the application to known legitimate users and systems. Run vulnerability scans and code reviews on all instances to identify similar injection flaws in other endpoints.
Why prioritize this
This vulnerability scores 8.2/HIGH on CVSS 3.1 due to network accessibility, lack of authentication, and high confidentiality impact. SQL injection on a ticket management system poses direct risk to operational and personal data. The combination of ease of exploitation and sensitivity of data typically stored in such systems justifies immediate remediation ahead of lower-severity issues. Organizations should treat this as urgent pending confirmation of patch availability.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects: Attack Vector (Network) — remotely exploitable; Attack Complexity (Low) — no special conditions required; Privileges Required (None) — no authentication; User Interaction (None) — automated exploitation possible; Scope (Unchanged) — impact limited to the vulnerable system; Confidentiality (High) — sensitive database records are readable; Integrity (Low) — limited ability to modify data; Availability (None) — no denial-of-service component. The high confidentiality impact and low barriers to exploitation drive the score into the HIGH range.
Frequently asked questions
What is the Open ISES Project and who uses it?
Open ISES Project is a ticketing or issue-tracking system. Organizations using it to manage support requests, administrative workflows, or operational tasks should audit their deployments immediately. If you are unsure whether your organization runs this software, check with your infrastructure or application teams.
Can an attacker modify or delete data with this vulnerability?
The CVSS impact assessment indicates limited integrity risk, meaning the attacker's primary capability is reading data. However, depending on the specific SQL injection context and database permissions, modification or deletion may be possible in some scenarios. Do not assume read-only impact; treat this as a full database compromise risk until patched.
Is this vulnerability actively being exploited?
This vulnerability is not listed in the CISA KEV catalog as of the data provided, meaning there is no confirmed active exploitation in the wild at this time. However, the ease of exploitation and public disclosure mean that opportunistic scanning and exploitation attempts may occur. Do not delay remediation based on lack of current KEV status.
What should I do if my organization runs Open ISES Project 3.30A?
First, confirm your running version and network exposure. Isolate the application from untrusted networks if possible. Check for patches or security updates from the Open ISES Project maintainers. Apply WAF rules to block SQL injection attempts as a temporary measure. Review database logs for suspicious queries or unauthorized access. Once a confirmed patch is available, test it and deploy as part of a coordinated remediation plan.
This analysis is based on published vulnerability data and does not constitute legal advice or a guarantee of security. Patch availability, version numbers, and remediation steps should be verified against official vendor advisories and the Open ISES Project security channels before implementation. Organizations should conduct their own risk assessments and testing. SEC.co does not assume liability for the use or misuse of this information. Always follow your organization's change management and security governance policies when applying patches or mitigations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access