PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25417 Aiopmsd CVE debrief

CVE-2018-25417 documents an unauthenticated SQL injection vulnerability in AiOPMSD Final 1.0.0, a project distributed via SourceForge. The flaw resides in quality.php, where the quality parameter fails to sanitize user input before incorporating it into SQL queries. Attackers can exploit this via crafted GET requests to execute arbitrary SQL, enabling extraction of sensitive database metadata including usernames, database names, and version information. The vulnerability carries a HIGH severity CVSS score of 8.8. The CVE was published on 2026-05-30 and is currently in 'Received' status per NVD records. No known exploitation in ransomware campaigns has been catalogued in CISA KEV. Vendor attribution remains uncertain—identified only as 'Unknown Vendor' with low-confidence evidence linking to 'Exploit Db' as a reference domain candidate, flagged for review.

Vendor
Aiopmsd
Product
AiOPMSD Final
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-30
Original CVE updated
2026-05-30
Advisory published
2026-05-30
Advisory updated
2026-05-30

Who should care

Organizations running AiOPMSD Final 1.0.0; security teams monitoring legacy PHP applications; incident responders investigating unauthorized database access; developers maintaining or forking the AiOPMSD SourceForge project

Technical summary

The quality.php endpoint in AiOPMSD Final 1.0.0 accepts a quality parameter via HTTP GET requests without adequate sanitization or parameterization. This allows unauthenticated remote attackers to inject arbitrary SQL syntax into backend database queries. Successful exploitation can yield sensitive database information including usernames, database names, and version details. The attack vector is network-accessible, requires no privileges or user interaction, and has low attack complexity. Integrity impact is rated LOW; confidentiality impact is HIGH. No availability impact is indicated. The vulnerability is not currently listed in CISA KEV.

Defensive priority

HIGH

Recommended defensive actions

  • Apply input validation and parameterized queries (prepared statements) to the quality parameter in quality.php
  • Implement least-privilege database access controls to limit impact of successful injection
  • Remove or restrict access to quality.php if the functionality is non-essential
  • Monitor web access logs for anomalous GET requests to quality.php containing SQL keywords or encoding patterns
  • Review database query logs for unexpected SELECT statements returning schema or user metadata
  • Validate that web application firewalls (WAFs) are configured with rules detecting SQL injection payloads in query parameters
  • Coordinate with the software maintainer or SourceForge project page for official patch availability
  • Consider application-layer code review for similar unsanitized parameters across the AiOPMSD codebase

Evidence notes

The vulnerability is classified as CWE-89 (SQL Injection). CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. References include the AiOPMSD SourceForge project page, download link, an Exploit-DB entry (45690), and a VulnCheck advisory. NVD vulnStatus: Received.

Official resources

AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection vulnerability in the quality.php endpoint. The quality parameter accepts unsanitized input that is passed directly to backend SQL queries, permitting arbitrary SQL execution.