PatchSiren cyber security CVE debrief
CVE-2018-25424 Livebms CVE debrief
CVE-2018-25424 documents an unauthenticated SQL injection vulnerability in Gate Pass Management System 2.1 that enables authentication bypass. The vulnerability resides in login-exec.php, where attacker-controlled input submitted via POST request parameters for login and password is incorporated into SQL queries without adequate sanitization. Successful exploitation allows remote attackers to authenticate without valid credentials and gain unauthorized access to the application. The vulnerability was published in the CVE corpus on 2026-05-30 and last modified on 2026-06-01. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact to the vulnerable component. The vendor attribution is marked low confidence based on reference domain candidate evidence pointing to Livebms, with review needed. No known exploitation in ransomware campaigns is recorded, and the vulnerability is not listed in CISA KEV.
- Vendor
- Livebms
- Product
- Gate Pass Management System
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-06-01
Who should care
Organizations operating Gate Pass Management System 2.1; security teams responsible for web application protection; incident response teams monitoring for authentication bypass attempts; developers maintaining PHP-based access control systems
Technical summary
The Gate Pass Management System 2.1 contains an unauthenticated SQL injection vulnerability in its authentication handler, login-exec.php. The application fails to properly sanitize user-supplied input in the login and password POST parameters before incorporating them into SQL queries. Remote attackers can submit crafted POST requests containing SQL injection payloads to manipulate the query logic and bypass authentication checks without possessing valid credentials. Successful exploitation grants unauthorized access to the application. The vulnerability is classified under CWE-89 (SQL Injection) with a HIGH severity CVSS 4.0 score. Network-based exploitation requires no privileges or user interaction, with low attack complexity.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to all authentication endpoints, particularly login-exec.php
- Implement prepared statements to prevent SQL injection in login and password parameters
- Review and restrict database account privileges used by the application to limit impact of injection attacks
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection payloads in POST requests to authentication endpoints
- Monitor authentication logs for anomalous login patterns indicative of injection attempts
- If vendor patch is unavailable, consider isolating the application from untrusted networks until remediation
- Conduct code review of all database-interacting components for similar injection vulnerabilities
Evidence notes
Vulnerability identified in login-exec.php through SQL injection in login and password form parameters. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. CWE-89 (SQL Injection) assigned as primary weakness. Vendor attribution derived from reference domain candidate 'Livebms' with low confidence; review required.
Official resources
Unauthenticated SQL injection in Gate Pass Management System 2.1 login-exec.php enables authentication bypass via crafted POST requests.