CVE-2018-25416: Unauthenticated SQL Injection in AiOPMSD Final 1.0.0
AiOPMSD Final version 1.0.0 contains a SQL injection flaw that allows anyone on the internet to query the application's database directly without logging in. An attacker can craft malicious requests to the country.php endpoint to extract sensitive information such as usernames, database names, and version numbers. This is a straightforward injection attack—the application fails to sanitize user input before passing it to SQL queries.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country parameter to extract sensitive database information including usernames, database names, and version details.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25416 is an unauthenticated SQL injection vulnerability in AiOPMSD Final 1.0.0 affecting the country parameter in country.php. The vulnerability arises from insufficient input validation, allowing attackers to inject arbitrary SQL commands via GET requests. Successful exploitation enables unauthorized data extraction from the underlying database. The attack vector is network-based with low complexity and requires no authentication or user interaction, making it trivial to exploit. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects high confidentiality impact and limited integrity impact, with no availability disruption.
Business impact
Exploitation of this vulnerability enables attackers to access sensitive database contents including user credentials, application metadata, and system configuration details. Depending on what data resides in the database, exposure could lead to account compromise, privilege escalation, or further lateral movement within infrastructure. The lack of authentication requirement means any external party can attempt exploitation without prior access, significantly broadening the risk surface. For organizations running AiOPMSD Final 1.0.0, this represents a critical data confidentiality breach risk.
Affected systems
AiOPMSD Final version 1.0.0 is the sole affected version. The vulnerability is triggered through the country.php endpoint when the country parameter receives unsanitized input. Any deployment of this specific version should be considered at risk if exposed to untrusted network traffic.
Exploitability
This vulnerability is highly exploitable. It requires only network access and can be triggered via simple HTTP GET requests—no authentication, no special tools, and no user interaction needed. The attack complexity is low; a working proof-of-concept can be constructed by an attacker with basic SQL knowledge. Given the unauthenticated nature and straightforward injection mechanism, exploitation is likely to be attempted quickly and broadly once details are known.
Remediation
The primary remediation is to upgrade AiOPMSD Final beyond version 1.0.0. Verify that patches are available from the vendor and apply them immediately. If an upgrade path does not exist or is delayed, implement network-level access controls to restrict who can reach country.php, such as IP allowlisting or Web Application Firewall (WAF) rules that inspect and block malicious SQL patterns in the country parameter. Additionally, apply input validation and parameterized queries at the application code level if you maintain a fork of the software.
Patch guidance
Check the AiOPMSD vendor advisory and documentation for available patch versions beyond 1.0.0. Apply the patch following the vendor's deployment instructions. After patching, restart affected application instances and verify that the country parameter now properly rejects SQL injection attempts. Test with known SQL injection payloads (e.g., OR 1=1) to confirm the fix is effective.
Detection guidance
Monitor web server logs for GET requests to country.php that contain SQL keywords or special characters in the country parameter (e.g., single quotes, comment sequences, UNION, SELECT). Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns. Use database query logs to identify unusual queries or failed authentication attempts. Network intrusion detection systems (IDS) can be tuned to flag HTTP requests with SQL injection signatures targeting this endpoint. Additionally, database access logs should be reviewed for queries originating from unexpected sources or containing extracted data.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.2), unauthenticated access requirement, and low exploitation complexity. The exposure of database credentials and system metadata creates direct pathways for further compromise. Unlike vulnerabilities requiring authentication or user interaction, this flaw is accessible to any attacker with network connectivity. Organizations running AiOPMSD Final 1.0.0 should treat this as a critical priority.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects a network-accessible, unauthenticated attack with no user interaction needed (AV:N/AC:L/PR:N/UI:N). High confidentiality impact (C:H) stems from direct database query capability. Limited integrity impact (I:L) accounts for potential data modification through SQL injection, while no availability impact (A:N) is assigned because denial-of-service is not the primary concern. The unchanged scope (S:U) indicates the attacker's privileges remain within the normal bounds of the vulnerable component.
Frequently asked questions
Can this vulnerability be exploited without network access to the application?
No. The attack requires network connectivity to reach the country.php endpoint. However, if the application is exposed to the internet or on a network accessible to potential attackers, the barrier to exploitation is essentially nonexistent because no authentication is required.
What data is at risk if this vulnerability is exploited?
Any data stored in the application's database is potentially at risk, including usernames, passwords, database structure information, and application metadata. The specific sensitivity depends on what data the database contains and whether it is indexed in ways that make it easily extractable through SQL queries.
Is upgrading the only way to fix this vulnerability?
Upgrading to a patched version is the recommended solution. If an immediate patch is unavailable, you can temporarily mitigate risk by restricting network access to country.php using firewall rules or WAF policies that block requests containing SQL injection patterns. However, these mitigations are not a substitute for patching.
How can I detect if an attacker has already exploited this flaw?
Review your web server access logs for unusual requests to country.php with SQL keywords or special characters in the country parameter. Check database query logs for unexpected queries, particularly those executed from the application's user context. Database access logs should show any successful data extraction attempts. Forensic analysis of database activity before the patch was applied may reveal exploitation.
This analysis is provided for informational purposes to assist security decision-making. Verify all patch versions, vendor advisories, and deployment instructions directly with AiOPMSD vendor documentation before applying remediation. The information herein does not constitute legal or compliance advice. Organizations are responsible for validating vulnerability applicability to their environment and conducting thorough testing before deploying patches or mitigations in production systems. No exploit code or weaponized proof-of-concept is provided or endorsed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access