PatchSiren cyber security CVE debrief
CVE-2018-25398 Open ISES CVE debrief
CVE-2018-25398 documents an SQL injection vulnerability in The Open ISES Project version 3.30A. The flaw resides in the `frm_passwd` parameter of `main.php`, where unauthenticated attackers can inject malicious SQL payloads via POST requests to execute arbitrary database queries. Successful exploitation enables extraction of sensitive information including usernames, database names, and version details. The vulnerability carries a CVSS 4.0 score of 8.8 (HIGH severity) with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The weakness is classified as CWE-89 (SQL Injection). The CVE record was published on May 29, 2026 and subsequently modified the same day. The vulnerability status is currently marked as 'Deferred' in the National Vulnerability Database. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Open ISES
- Product
- Open ISES Project
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running The Open ISES Project 3.30A for incident management and emergency services coordination; security teams responsible for protecting public safety and emergency response systems; database administrators managing backend systems for open-source incident management platforms; and vulnerability management programs tracking deferred-status CVEs for risk prioritization.
Technical summary
The vulnerability exists in the password recovery or authentication handling logic within main.php. The frm_passwd parameter accepts user input without proper sanitization or parameterization, allowing direct concatenation into SQL queries. An unauthenticated remote attacker can craft malicious POST requests containing SQL metacharacters and commands to manipulate query logic, enabling data exfiltration, authentication bypass, or potentially further database compromise. The attack requires no privileges or user interaction and can be executed over the network with low complexity.
Defensive priority
HIGH
Recommended defensive actions
- Review and validate vendor identification for The Open ISES Project; source data indicates low confidence requiring manual review
- If running Open ISES Project 3.30A, apply input validation and parameterized queries to the frm_passwd parameter in main.php
- Implement Web Application Firewall rules to detect and block SQL injection payloads targeting main.php
- Monitor access logs for POST requests to main.php with anomalous frm_passwd parameter values
- Consider upgrading to a patched version if available, or contact the project maintainers via SourceForge for security updates
- Restrict network access to Open ISES Project installations to authorized administrative hosts where possible
Evidence notes
Primary evidence sources include the NVD CVE record, VulnCheck advisory, and Exploit-DB entry. The CVSS 4.0 vector string is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Vendor identification is marked as low confidence with 'Unknown Vendor' designation in source data, requiring review. The reference domain candidate 'Exploit Db' was used for vendor inference.
Official resources
The vulnerability was disclosed through coordinated disclosure channels with advisory publication by VulnCheck and exploit documentation on Exploit-DB. The Open ISES Project is an open-source incident management system hosted on SourceForge