CVE-2018-25425: Unauthenticated SQL Injection in Yot CMS 3.3.1
Yot CMS version 3.3.1 contains an unauthenticated SQL injection vulnerability accessible through HTTP GET requests. An attacker can manipulate the 'aid' or 'cid' URL parameters to inject arbitrary SQL commands, potentially exposing sensitive database information without requiring any authentication or user interaction. The vulnerability is network-accessible and relatively straightforward to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25425 is a classic SQL injection flaw (CWE-89) in Yot CMS 3.3.1 where user-supplied input in the aid and cid parameters is not properly sanitized before being incorporated into SQL queries. The vulnerability exists in index.php and is exploitable via GET requests, allowing attackers to bypass authentication and execute arbitrary SQL operations. Successful exploitation enables data exfiltration, including enumeration of database structure, table names, and column definitions.
Business impact
An attacker exploiting this vulnerability could extract sensitive data from the CMS database, potentially including user credentials, configuration data, and business-critical information. Unlike vulnerabilities limited to data modification, this flaw emphasizes confidentiality breach, though limited integrity impact is also possible. For organizations running Yot CMS 3.3.1, exposure of database schemas and user information could lead to further compromise, regulatory violations, and reputational damage.
Affected systems
Yot CMS version 3.3.1 is affected. Organizations should verify whether this or related versions are deployed in their environment. Given the age of the vulnerability publication (May 2026), it is critical to establish whether systems have been patched or upgraded. Newer versions of Yot CMS should be checked against vendor advisories to confirm patched status.
Exploitability
The vulnerability has a CVSS 3.1 exploitability subscore reflecting no authentication requirement, low attack complexity, and network accessibility. Exploitation requires only crafted HTTP GET requests—no user interaction or special privileges. The attack can be mounted by any unauthenticated internet user with network access to the CMS. The straightforward nature of SQL injection in this context suggests moderate to high real-world exploitability; however, the vulnerability has not been flagged for inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last modification date.
Remediation
Upgrade Yot CMS to a version that patches this SQL injection vulnerability. Verify the specific patched version through the Yot CMS vendor advisory or release notes. As an interim control, implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the aid and cid parameters. Restrict network access to the CMS if deployment context permits. Input validation and parameterized queries should be verified in any patched release.
Patch guidance
Contact Yot CMS vendor for definitive patch version information and apply the update as soon as possible. Given the high CVSS score and ease of exploitation, this should be prioritized in your patching cycle. Verify patch deployment by confirming the CMS version and testing that SQL injection payloads in aid and cid parameters are properly rejected. Document the patching timeline for compliance records.
Detection guidance
Monitor web server access logs and application logs for suspicious patterns in GET requests to index.php, particularly those containing SQL keywords (SELECT, UNION, OR, AND, etc.) in the aid or cid parameters. Implement log correlation to identify multiple injection attempts from the same source. Network-based detection via WAF rules for SQL injection signatures in query strings is effective. Database activity monitoring can also detect anomalous SQL execution patterns resulting from injected queries.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.2), unauthenticated and network-accessible attack vector, and high confidentiality impact. The lack of KEV listing does not diminish urgency; it reflects that no in-the-wild weaponized exploits have been formally cataloged, not that the flaw is low-risk. Organizations running Yot CMS 3.3.1 should treat this as a priority remediation target, particularly if the CMS contains sensitive data.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects: (1) Network attack vector—accessible from any internet connection; (2) Low attack complexity—no special conditions required; (3) No authentication—unauthenticated users can exploit; (4) High confidentiality impact—direct database access; (5) Limited integrity and no availability impact. The score appropriately captures the severity of unauthenticated data exfiltration while acknowledging that direct system destruction is not the primary threat.
Frequently asked questions
How can I verify if my Yot CMS installation is vulnerable?
Check your Yot CMS version number in the admin panel or configuration files. If it is 3.3.1, you are affected. Attempt to query the aid or cid parameters with simple SQL injection payloads (e.g., adding ' OR '1'='1) in a test environment and observe whether database errors are returned. However, do not perform testing on production systems without proper authorization. Consult your WAF logs for any blocked SQL injection attempts as an indirect indicator of active exploitation attempts.
What data is most at risk from this vulnerability?
Any data stored in the Yot CMS database is at risk, including user account credentials, email addresses, personal information, configuration settings, and business data. Attackers can use UNION-based or blind SQL injection to extract entire tables. The vulnerability does not limit attackers to read-only access—limited write operations may also be possible depending on database permissions and the specific SQL injection technique used.
Is there a workaround if we cannot patch immediately?
Implement network segmentation to restrict access to the CMS application to known trusted sources. Deploy a WAF with SQL injection detection rules targeting the aid and cid parameters specifically. Filter or block requests containing common SQL keywords in those parameters. Monitor database connection logs for suspicious activity. These controls reduce attack surface but do not eliminate the underlying vulnerability—patching remains the definitive solution.
Why isn't this on the CISA KEV list if it's so serious?
CISA's KEV catalog specifically tracks vulnerabilities for which active, in-the-wild exploitation has been confirmed. The absence of a KEV entry does not indicate low severity; rather, it means no evidence of coordinated exploitation campaigns has been documented. The HIGH CVSS score and ease of exploitation make this a priority vulnerability regardless of KEV status. Organizations should not use KEV listing as the sole basis for prioritization.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. SEC.co does not provide warranty regarding the completeness or accuracy of vendor information. Patch version numbers and specific remediation steps should be verified directly against Yot CMS vendor advisories and official release notes. Testing of mitigations should be performed only in controlled, non-production environments with proper authorization. Organizations are responsible for determining applicability to their environment and compliance with applicable laws and policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access