PatchSiren cyber security CVE debrief
CVE-2018-25414 Aiopmsd CVE debrief
CVE-2018-25414 documents an unauthenticated SQL injection vulnerability in AiOPMSD Final 1.0.0, a PHP-based application distributed via SourceForge. The flaw resides in actor.php, where the actor parameter is passed directly into SQL queries without proper sanitization or parameterization. An unauthenticated remote attacker can send crafted GET requests to this endpoint to execute arbitrary SQL, enabling extraction of sensitive database contents such as usernames, database names, and version information. The vulnerability was disclosed with a CVSS 4.0 vector of AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N, reflecting network attackability with low complexity, no privileges required, and high confidentiality impact. The vendor is currently identified as unknown with low confidence based on reference domain analysis pointing to Exploit-DB. The CVE was published on 2026-05-30 and remains in 'Received' status per NVD records. No known exploitation in ransomware campaigns has been catalogued in CISA KEV.
- Vendor
- Aiopmsd
- Product
- AiOPMSD Final
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-05-30
Who should care
Organizations running AiOPMSD Final 1.0.0, particularly instances with actor.php exposed to untrusted networks; security teams responsible for legacy PHP application maintenance; incident responders investigating potential database compromise in environments using this software
Technical summary
The vulnerability exists in the actor.php endpoint of AiOPMSD Final 1.0.0, where user-supplied input via the actor GET parameter is concatenated directly into SQL queries without sanitization. This classic SQL injection flaw allows unauthenticated remote attackers to manipulate query structure, execute arbitrary SQL commands, and extract sensitive information from the backend database. The attack vector is network-based, requires no authentication, and can be exploited with low complexity. Successful exploitation yields high confidentiality impact through unauthorized database read access.
Defensive priority
HIGH
Recommended defensive actions
- Remove or restrict access to AiOPMSD Final 1.0.0 instances, particularly actor.php, until a patched version is available from the vendor
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting the actor parameter in actor.php
- Apply input validation and parameterized queries (prepared statements) to all database interactions in actor.php if maintaining a custom fork
- Monitor web server logs for anomalous GET requests to actor.php containing SQL keywords, union operators, or encoded payload patterns
- Conduct database audit to identify unauthorized query execution or data exfiltration if the application has been internet-facing
- Review and rotate database credentials if compromise is suspected, and restrict database user privileges to least-permission principles
Evidence notes
Vulnerability identified in actor.php parameter 'actor'. CVSS 4.0 vector provided in NVD metadata. References include SourceForge project page, Exploit-DB entry 45690, and VulnCheck advisory. Vendor attribution marked low confidence with review needed.
Official resources
Unauthenticated SQL injection in AiOPMSD Final 1.0.0 actor.php via the actor parameter, enabling arbitrary SQL execution and sensitive data extraction.