PatchSiren cyber security CVE debrief
CVE-2018-25382 Bylancer CVE debrief
CVE-2018-25382 documents an unauthenticated SQL injection vulnerability in Zechat 1.5, a PHP-based chat application. The flaw resides in the `uname` parameter of `profile.php`, where insufficient input sanitization allows attackers to inject arbitrary SQL code. Successful exploitation enables extraction of database schema information and sensitive data via UNION-based injection techniques targeting the `information_schema` database. The vulnerability carries a HIGH severity CVSS score of 8.8, reflecting significant confidentiality impact with network-based attack vector requiring no authentication. The CVE was published on May 29, 2026, with subsequent modification the same day; the underlying vulnerability dates to 2018 based on the CVE identifier and available exploit documentation. Vendor attribution points to Bylancer as the product distributor, though confidence is low and requires review. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Bylancer
- Product
- Zechat
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Zechat 1.5 for internal or customer-facing chat services; security teams responsible for legacy PHP application maintenance; web application firewall administrators; database administrators concerned with unauthorized schema enumeration and data extraction
Technical summary
The vulnerability exists in Zechat 1.5's profile.php script, specifically the uname parameter handling. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, resulting in classic SQL injection (CWE-89). Attackers can craft malicious requests containing UNION-based payloads to enumerate database structure through information_schema queries and extract sensitive data. The attack requires no authentication and can be executed remotely over the network. CVSS 4.0 scoring reflects high confidentiality impact with low integrity impact and no availability impact.
Defensive priority
HIGH
Recommended defensive actions
- Remove or restrict access to Zechat 1.5 installations pending patch availability
- Implement Web Application Firewall rules to detect and block SQL injection patterns targeting the uname parameter
- Apply input validation and parameterized queries to all database interactions in profile.php
- Review application logs for historical exploitation attempts involving UNION-based SQL injection payloads
- Contact Bylancer for patch status and migration path to supported product version
Evidence notes
SQL injection confirmed through CWE-89 classification. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, high confidentiality impact. Exploit-DB reference 45523 provides technical validation of vulnerability existence.
Official resources
Disclosed via VulnCheck and documented in NVD with reference to Exploit-DB entry 45523. Vendor website references suggest commercial product distribution.