PatchSiren cyber security CVE debrief
CVE-2018-25418 Aiopmsd CVE debrief
CVE-2018-25418 documents an unauthenticated SQL injection vulnerability in AiOPMSD Final 1.0.0. The flaw resides in the year.php endpoint, where the year parameter fails to properly sanitize user-supplied input before incorporating it into SQL queries. An unauthenticated remote attacker can exploit this weakness by sending crafted GET requests containing malicious SQL payloads to extract sensitive database information, including usernames, database names, and version details. The vulnerability carries a HIGH severity CVSS score of 8.8. The CVE was published on 2026-05-30 and remains in 'Received' status per NVD records. Vendor attribution is currently uncertain, with the only evidence pointing to 'Exploit Db' as a reference domain candidate, indicating low confidence that requires review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Aiopmsd
- Product
- AiOPMSD Final
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-05-30
Who should care
Organizations running AiOPMSD Final 1.0.0, particularly those with instances exposed to untrusted networks. Security teams responsible for web application security, database administrators, and incident response teams should prioritize identification and remediation of this vulnerability due to its unauthenticated exploitation path and high confidentiality impact.
Technical summary
The vulnerability exists in the year.php file of AiOPMSD Final 1.0.0, where user-supplied input via the year parameter is directly incorporated into SQL queries without adequate sanitization or parameterization. This classic SQL injection flaw allows unauthenticated remote attackers to manipulate query logic, potentially reading arbitrary data from the database. The attack vector is network-accessible with low attack complexity, requires no privileges or user interaction, and can result in high confidentiality impact with limited integrity impact. The vulnerability does not appear to affect availability. No authentication is required for exploitation, significantly increasing the risk to exposed instances.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the year parameter in year.php
- Implement prepared statements to prevent SQL injection in all database interactions
- Restrict database account privileges to limit impact of successful injection attacks
- Monitor web access logs for suspicious patterns targeting year.php with unusual year parameter values
- Review and update web application firewall rules to detect and block SQL injection attempts against the affected endpoint
- Consider removing or disabling the vulnerable application if no patch is available and the software is not actively maintained
Evidence notes
The vulnerability is classified as CWE-89 (SQL Injection). CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. NVD vulnerability status is 'Received'. Vendor identification is marked low confidence with needsReview flag due to weak reference domain evidence. No CPE criteria are currently associated with this CVE.
Official resources
AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection vulnerability in year.php via the year parameter. Attackers can execute arbitrary SQL queries to extract sensitive database information without authentication.