HIGH 8.2

CVE-2018-25404: SQL Injection in Open ISES Project 3.30A – Exploitation & Remediation Guide

Open ISES Project version 3.30A is vulnerable to SQL injection through its add_facnote.php endpoint. An attacker can craft malicious SQL code in the ticket_id parameter and send it via a GET request without needing to authenticate first. This allows the attacker to read sensitive data directly from the database, including version information and other confidential records. The vulnerability requires no special conditions—any internet-connected instance of the software is at risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to extract sensitive database information including version details and other data.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25404 is an unauthenticated SQL injection vulnerability in the ticket_id parameter of add_facnote.php in Open ISES Project 3.30A. The application fails to sanitize or parameterize user input before constructing SQL queries, enabling attackers to inject arbitrary SQL statements via GET requests. The CVSS 3.1 vector (8.2/HIGH) reflects network accessibility, low attack complexity, no authentication requirement, and high confidentiality impact with limited integrity risk. This is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Business impact

Compromise of an Open ISES Project installation could result in unauthorized exposure of ticket data, user records, and other database contents depending on application scope. For organizations using this software to manage sensitive administrative or operational workflows, the breach could facilitate identity theft, compliance violations, or further lateral attacks. The lack of authentication requirement means external attackers can exploit this without internal access or credentials.

Affected systems

Open ISES Project version 3.30A is the confirmed affected release. Organizations running this version with internet-facing or internal network access to add_facnote.php are at direct risk. Verify your deployment version and assess whether this endpoint is accessible from untrusted networks. No vendor or product details are currently available in the source data; consult the official Open ISES Project channels for complete compatibility information.

Exploitability

Exploitability is high. The vulnerability requires no authentication, no user interaction, and no special network conditions—only the ability to send a crafted GET request to the vulnerable endpoint. Attack complexity is low; standard SQL injection techniques apply. Public disclosure and the straightforward attack vector mean the barrier to exploitation is minimal, though active exploitation in the wild is not currently tracked in the KEV catalog.

Remediation

Immediate action is required. First, identify all running instances of Open ISES Project 3.30A and assess network exposure. Isolate or restrict access to add_facnote.php and the application itself until a patch is confirmed available. As a temporary measure, implement Web Application Firewall (WAF) rules to block SQL injection payloads in the ticket_id parameter. Verify that any available patch or newer version from the Open ISES Project addresses this vulnerability before deployment. After patching, conduct database integrity checks and review logs for signs of exploitation.

Patch guidance

Consult the official Open ISES Project repository, security advisories, and vendor communications for confirmed patch versions addressing CVE-2018-25404. Patches should include input validation and parameterized query use for the ticket_id parameter in add_facnote.php. Before applying any patch, test in a non-production environment and verify that the fix does not introduce regression. If no official patch is available, evaluate alternative versions or alternate products and prepare a migration plan.

Detection guidance

Monitor application and WAF logs for GET requests to add_facnote.php containing SQL keywords or special characters (single quotes, dashes, parentheses, UNION, SELECT, etc.) in the ticket_id parameter. Look for error messages indicating SQL syntax issues in application responses. Implement network segmentation to limit exposure of the application to known legitimate users and systems. Run vulnerability scans and code reviews on all instances to identify similar injection flaws in other endpoints.

Why prioritize this

This vulnerability scores 8.2/HIGH on CVSS 3.1 due to network accessibility, lack of authentication, and high confidentiality impact. SQL injection on a ticket management system poses direct risk to operational and personal data. The combination of ease of exploitation and sensitivity of data typically stored in such systems justifies immediate remediation ahead of lower-severity issues. Organizations should treat this as urgent pending confirmation of patch availability.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects: Attack Vector (Network) — remotely exploitable; Attack Complexity (Low) — no special conditions required; Privileges Required (None) — no authentication; User Interaction (None) — automated exploitation possible; Scope (Unchanged) — impact limited to the vulnerable system; Confidentiality (High) — sensitive database records are readable; Integrity (Low) — limited ability to modify data; Availability (None) — no denial-of-service component. The high confidentiality impact and low barriers to exploitation drive the score into the HIGH range.

Frequently asked questions

What is the Open ISES Project and who uses it?

Open ISES Project is a ticketing or issue-tracking system. Organizations using it to manage support requests, administrative workflows, or operational tasks should audit their deployments immediately. If you are unsure whether your organization runs this software, check with your infrastructure or application teams.

Can an attacker modify or delete data with this vulnerability?

The CVSS impact assessment indicates limited integrity risk, meaning the attacker's primary capability is reading data. However, depending on the specific SQL injection context and database permissions, modification or deletion may be possible in some scenarios. Do not assume read-only impact; treat this as a full database compromise risk until patched.

Is this vulnerability actively being exploited?

This vulnerability is not listed in the CISA KEV catalog as of the data provided, meaning there is no confirmed active exploitation in the wild at this time. However, the ease of exploitation and public disclosure mean that opportunistic scanning and exploitation attempts may occur. Do not delay remediation based on lack of current KEV status.

What should I do if my organization runs Open ISES Project 3.30A?

First, confirm your running version and network exposure. Isolate the application from untrusted networks if possible. Check for patches or security updates from the Open ISES Project maintainers. Apply WAF rules to block SQL injection attempts as a temporary measure. Review database logs for suspicious queries or unauthorized access. Once a confirmed patch is available, test it and deploy as part of a coordinated remediation plan.

This analysis is based on published vulnerability data and does not constitute legal advice or a guarantee of security. Patch availability, version numbers, and remediation steps should be verified against official vendor advisories and the Open ISES Project security channels before implementation. Organizations should conduct their own risk assessments and testing. SEC.co does not assume liability for the use or misuse of this information. Always follow your organization's change management and security governance policies when applying patches or mitigations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).