CVE-2018-25418: SQL Injection in AiOPMSD Final 1.0.0 – Unauthenticated Remote Code Execution Risk
AiOPMSD Final version 1.0.0 contains an SQL injection vulnerability in its year parameter that allows attackers to execute arbitrary database queries without authentication. By crafting malicious SQL code and sending it through GET requests to the year.php endpoint, an attacker can extract sensitive information such as usernames, database names, and database version details. The vulnerability requires no user interaction and can be exploited over the network by any unauthenticated actor.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a classic SQL injection vulnerability (CWE-89) affecting AiOPMSD Final 1.0.0. The year parameter in year.php fails to properly sanitize or parameterize user input before incorporating it into SQL queries. An attacker can inject SQL metacharacters and commands to break out of the intended query context and execute arbitrary SQL statements. The attack vector is straightforward: GET requests to year.php with crafted payloads in the year parameter bypass input validation and reach the database layer directly. The vulnerability permits information disclosure attacks targeting the database schema, credentials, and system metadata.
Business impact
Successful exploitation could expose your organization's database credentials, usernames, and structural information that attackers use for reconnaissance and further attacks. This information disclosure may lead to unauthorized data access, compliance violations if personal or regulated data is exposed, and reputational damage. Because exploitation requires no authentication or user interaction, the exposure window is immediate and continuous until the application is patched or taken offline.
Affected systems
AiOPMSD Final version 1.0.0 is confirmed vulnerable. Organizations running this specific version—particularly in production environments—face direct risk. The vulnerability affects any deployment of this software accessible over the network. No other versions or products are specified in the published data, so verify your inventory against version 1.0.0 specifically.
Exploitability
This vulnerability has a high exploitability profile. The attack requires no authentication, no special privileges, and no user interaction. Network access is sufficient. The exploit technique—SQL injection via URL parameters—is well-understood and easily weaponized. Automated scanning tools can detect the vulnerable parameter and attempt injection payloads with minimal effort. The fact that the vulnerability is not yet listed on the CISA Known Exploited Vulnerabilities (KEV) catalog does not diminish the technical ease of exploitation; it reflects publication recency rather than difficulty.
Remediation
Upgrade AiOPMSD Final to a patched version released after this vulnerability's publication date of May 30, 2026. Contact your vendor for patched releases and timelines. As an interim measure, isolate the affected application from untrusted networks, disable or restrict access to year.php if operationally feasible, and implement Web Application Firewall (WAF) rules to block SQL injection patterns in the year parameter. Monitor database query logs for suspicious SQL syntax or error messages that may indicate exploitation attempts.
Patch guidance
Check the AiOPMSD vendor's security advisories and release notes for patches addressing CVE-2018-25418. Patches should be applied to all instances of version 1.0.0 in your environment. Before deploying patches to production, test them in a staging environment to confirm compatibility with your configurations and downstream systems. Verify patch application by confirming the installed version and re-testing the vulnerable year.php parameter with safe payloads to confirm input sanitization is in place.
Detection guidance
Monitor for GET requests to year.php containing SQL metacharacters (single quotes, double quotes, dashes, semicolons, keywords like 'UNION', 'SELECT', 'OR', 'AND') in the year parameter. Database activity logs may show unusual queries, errors related to malformed SQL, or unexpected data retrieval patterns. Web application firewall logs should flag attempts to inject SQL syntax. Consider deploying SQL injection detection signatures and correlating web server logs with database query logs to identify exploitation attempts.
Why prioritize this
This vulnerability scores 8.2 (HIGH) under CVSS 3.1 and poses significant risk due to the combination of unauthenticated access, high confidentiality impact (database credential and schema exposure), and trivial exploit complexity. The lack of authentication requirement and straightforward network attack vector make this a priority remediation target. Organizations should treat this as urgent if they operate AiOPMSD Final 1.0.0 in any network-accessible location.
Risk score, explained
The CVSS 3.1 score of 8.2 reflects: (1) Network attack vector—exploitable remotely with no special network positioning; (2) Low attack complexity—no special conditions or authentication required; (3) No privileges required—unauthenticated attackers can exploit; (4) No user interaction—attacks succeed autonomously; (5) High confidentiality impact—sensitive database information is exposed; (6) Low integrity impact—the vulnerability primarily enables data exfiltration rather than modification; (7) No availability impact—the application does not crash or become unavailable. The high score appropriately emphasizes the information disclosure risk and ease of exploitation.
Frequently asked questions
How can we tell if our AiOPMSD instance is vulnerable?
Check your installed version—only AiOPMSD Final 1.0.0 is confirmed vulnerable. If you are running version 1.0.0 and the year.php endpoint is network-accessible (not blocked by firewall rules or WAF), you are vulnerable. You can test by accessing year.php with a benign parameter and confirming it processes input; do not attempt SQL injection payloads on production systems without expert guidance.
Can this vulnerability be exploited if year.php is not directly accessible from the internet?
Technically, the vulnerability exists in the code regardless of network accessibility. However, practical risk depends on your network topology. If year.php is only accessible from trusted internal networks (e.g., behind a corporate firewall), the threat surface is smaller. However, internal attackers, compromised internal systems, or lateral movement by attackers who have breached other systems could still exploit it. Assume the vulnerability is exploitable if any unauthenticated user can reach year.php over the network.
What data is at highest risk of exposure?
Database usernames, database names, database version information, and potentially table/column structures can be extracted via crafted SQL queries. Depending on database permissions and schema design, attackers might also access sensitive business data stored in those tables. The initial attack surface focuses on metadata, but downstream risk extends to any data the database contains.
Is there a workaround if we cannot patch immediately?
Patching is the correct fix. Interim mitigations include: (1) restrict network access to year.php using firewall rules or network segmentation; (2) deploy a WAF rule that blocks SQL injection patterns in the year parameter; (3) disable or remove the year.php endpoint if it is not critical to operations; (4) monitor database logs aggressively for exploitation signs. These do not eliminate the vulnerability, so prioritize patching as soon as a patch is available.
This analysis is provided for informational purposes and reflects publicly disclosed vulnerability data as of the publication date. SEC.co makes no warranties regarding the completeness or accuracy of this information. Organizations should verify all details—including affected versions, patch availability, and remediation steps—against official vendor advisories and their own environment configurations. Testing should only be performed in controlled, non-production environments with proper authorization. Security decisions should be made in consultation with your security team and vendor support. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access