HIGH 7.1

CVE-2018-25410: SQL Injection in SIM-PKH 2.4.1 Admin Panel — Security Analysis

SIM-PKH version 2.4.1 contains a SQL injection flaw in its admin media management interface. An authenticated attacker can craft malicious requests to the /admin/media.php endpoint that inject SQL code, allowing them to extract sensitive database information such as usernames, database names, and version details. The vulnerability requires valid login credentials but poses a meaningful risk to data confidentiality within affected deployments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in SIM-PKH 2.4.1's admin media handler, specifically within the /admin/media.php script when processing the 'id' parameter with module=pengurus and act=editpengurus query parameters. The application fails to properly sanitize or parameterize SQL queries, allowing authenticated users to append UNION-based SQL statements. This enables data extraction attacks against the underlying database without direct database access. The flaw is classified as CWE-89 (SQL Injection) and requires authentication but operates over the network without additional user interaction.

Business impact

A compromised admin account or internal attacker with legitimate credentials could systematically extract database contents, including user credentials, application configuration data, and potentially sensitive business information stored in the database. While the CVSS vector indicates limited impact to integrity and no availability impact, the confidentiality breach could expose authentication details and lead to lateral movement or privilege escalation. Organizations running SIM-PKH 2.4.1 should assess whether admin accounts have been compromised and whether database contents have been accessed without authorization.

Affected systems

SIM-PKH version 2.4.1 is affected. Deployments running this specific version with internet or intranet exposure, or where admin users may be untrusted or compromised, face direct risk. No vendor products are listed in the vulnerability record; verify your SIM-PKH deployment version and assess whether you are operating version 2.4.1 or a patched successor.

Exploitability

Exploitation requires valid admin credentials to the SIM-PKH application and network access to the /admin/media.php endpoint. The attack is straightforward to execute—an attacker needs only craft a GET request with a malicious SQL UNION payload in the 'id' parameter. This is not a zero-day or unauthenticated remote code execution risk, but it does represent a credible insider threat and a meaningful risk if admin accounts are compromised through phishing, credential reuse, or social engineering.

Remediation

Upgrade SIM-PKH to a version released after June 2026 that patches this SQL injection vulnerability. Verify the patch version against the vendor's official security advisory. Until patching is possible, implement strict access controls on /admin/media.php, restrict admin account access to trusted networks only, and monitor for unusual SQL patterns in application logs. Enforce strong, unique passwords for admin accounts and implement multi-factor authentication if available.

Patch guidance

Contact the SIM-PKH vendor or consult their official security advisory for the specific patched version number and deployment instructions. Do not rely on version numbers inferred from this advisory—verify directly with the vendor. Apply patches in a test environment first, then deploy to production following your organization's change management procedures.

Detection guidance

Monitor access logs for GET requests to /admin/media.php containing SQL keywords (UNION, SELECT, WHERE, OR 1=1) in the 'id' parameter. Enable query logging in your database and look for unexpected SELECT statements executed under the application's database user account. Track failed authentication attempts to admin accounts and watch for lateral movement or data extraction queries following a successful login. Consider deploying a Web Application Firewall (WAF) rule to block requests to /admin/media.php that contain SQL syntax.

Why prioritize this

While CVE-2018-25410 has a CVSS score of 7.1 (HIGH) and does not appear on the KEV catalog, it remains a genuine confidentiality risk. The vulnerability requires authentication but is trivial to exploit once an attacker has credentials. Organizations with SIM-PKH 2.4.1 should treat this as a medium-priority patch candidate, especially if admin accounts are widely shared, have weak passwords, or operate in high-risk environments. Prioritize patching if you have reason to believe admin credentials may have been compromised.

Risk score, explained

The CVSS 3.1 score of 7.1 reflects high confidentiality impact (data extraction), low integrity impact (no data modification capability noted), and no availability impact. The requirement for prior authentication (PR:L) prevents an unauthenticated attacker from exploiting this flaw directly, but authenticated insiders or compromised admin accounts create a meaningful threat. Network-accessible endpoints and the simplicity of SQL injection attacks justify the HIGH severity rating.

Frequently asked questions

Does this vulnerability allow unauthenticated attackers to access the database?

No. CVE-2018-25410 requires valid admin credentials to the SIM-PKH application. It does not grant access to unauthenticated users but is a significant risk if admin accounts are compromised or if insider threats are a concern.

Can this vulnerability be exploited to modify or delete data?

The documented attack vector focuses on data extraction via UNION-based SQL injection. While SQL injection can potentially allow modification or deletion, the CVSS vector indicates low integrity impact, suggesting the primary risk is confidentiality. Test your specific deployment or consult the vendor for definitive guidance on modification capabilities.

Is there a public exploit or proof-of-concept available?

This advisory does not reference publicly available exploit code. However, SQL injection vulnerabilities are well-understood by attackers, and the attack method described (UNION-based injection) is standard. Assume exploitation is likely if this version remains unpatched in accessible environments.

What should we do if we cannot patch immediately?

Implement network segmentation to restrict access to /admin/media.php to trusted internal networks only. Enforce strong admin passwords and multi-factor authentication. Monitor database and web application logs for suspicious SQL activity. Set a firm patch deadline and prioritize this as a critical remediation task.

This analysis is based on the CVE record published 2026-05-30 and modified 2026-06-17. Verify all patch versions, vendor information, and affected product details directly with the SIM-PKH vendor or official security advisory before taking action. This advisory does not constitute legal, compliance, or vendor-specific technical advice. Organizations must conduct their own risk assessment and testing in accordance with their security policies and regulatory requirements. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).