PatchSiren cyber security CVE debrief
CVE-2018-25415 Aiopmsd CVE debrief
CVE-2018-25415 documents an unauthenticated SQL injection vulnerability in AiOPMSD Final 1.0.0. The flaw resides in the `director` parameter of `director.php`, where attacker-controlled input is incorporated directly into SQL queries without adequate sanitization. An unauthenticated remote attacker can exploit this by sending a crafted GET request to `director.php` with a malicious SQL payload in the `director` parameter, enabling arbitrary SQL execution. Successful exploitation can lead to extraction of sensitive database information, including usernames, database names, and version details. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements in SQL Command). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and no user interaction, with high confidentiality impact. The vendor attribution is marked low confidence and requires review, with the only vendor evidence being a reference domain candidate of 'Exploit Db'. The CVE was published and last modified on 2026-05-30. No Known Exploited Vulnerabilities (KEV) entry exists for this issue.
- Vendor
- Aiopmsd
- Product
- AiOPMSD Final
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-05-30
Who should care
Organizations running AiOPMSD Final 1.0.0, security teams responsible for web application security, and database administrators managing instances of this application.
Technical summary
An unauthenticated SQL injection vulnerability exists in AiOPMSD Final 1.0.0 in the `director` parameter of `director.php`. Remote attackers can execute arbitrary SQL queries via crafted GET requests, potentially extracting sensitive database information including usernames, database names, and version details.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries (prepared statements) to the director parameter in director.php to prevent SQL injection.
- Implement least-privilege database access controls to limit impact if injection occurs.
- Review and sanitize all user-supplied input within the application for similar vulnerabilities.
- If patching is not immediately available, consider restricting access to director.php via web application firewall rules or access controls.
- Monitor web server logs for suspicious GET requests to director.php containing SQL keywords or unusual director parameter values.
Evidence notes
The vulnerability is identified as CWE-89. The CVSS 4.0 vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. Vendor attribution is low confidence based on reference domain candidate 'Exploit Db' and requires review. No KEV entry is present.
Official resources
AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection vulnerability in the `director` parameter of `director.php`.