PatchSiren cyber security CVE debrief
CVE-2018-25420 Aiopmsd CVE debrief
AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection vulnerability in the watch.php endpoint. The 'id' parameter fails to properly sanitize user input, allowing remote attackers to inject arbitrary SQL commands via crafted GET requests. Successful exploitation can lead to extraction of sensitive database information including usernames, database names, and version details. The vulnerability is rated HIGH severity with a CVSS score of 8.8. The vendor is currently identified as unknown with low confidence based on reference domain analysis, and the entry requires review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Aiopmsd
- Product
- AiOPMSD Final
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-05-30
Who should care
Organizations running AiOPMSD Final 1.0.0 for project management; security teams responsible for legacy PHP application portfolios; database administrators managing backends accessible through vulnerable web applications; incident response teams monitoring for unauthenticated SQL injection exploitation patterns
Technical summary
The vulnerability exists in AiOPMSD Final 1.0.0 within the watch.php script, where the 'id' GET parameter is directly incorporated into SQL queries without adequate sanitization or parameterization. Remote unauthenticated attackers can manipulate this parameter to alter query structure, enabling arbitrary SQL execution. The attack vector is network-accessible with low complexity and no authentication prerequisites. Successful attacks can extract database metadata including usernames, database names, and version information, representing a high confidentiality impact. The integrity impact is rated low with no availability impact. The product is distributed via SourceForge and appears to be unmaintained, increasing long-term risk for continued deployments.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the 'id' parameter in watch.php
- Implement prepared statements for all database interactions
- Restrict database account privileges to least-privilege principles
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting watch.php
- Monitor access logs for anomalous GET requests to watch.php containing SQL keywords or encoding patterns
- Remove or disable AiOPMSD Final 1.0.0 if no patch is available and the application is not essential
- Review database access logs for unauthorized query patterns indicative of exploitation
- Consider migrating to actively maintained project management software with security update support
Evidence notes
Vulnerability disclosed via VulnCheck advisory and documented in Exploit-DB entry 45690. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, high confidentiality impact, and low integrity impact. CWE-89 (SQL Injection) classified as primary weakness. SourceForge hosting confirmed for affected product distribution.
Official resources
AiOPMSD Final 1.0.0 watch.php 'id' parameter SQL injection