PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25399 Open ISES CVE debrief

CVE-2018-25399 documents an unauthenticated SQL injection vulnerability in The Open ISES Project version 3.30A. The flaw resides in the nearby.php endpoint, where the tick_lat and tick_lng parameters fail to properly sanitize user input before incorporation into SQL queries. Attackers can exploit this weakness via crafted GET requests to execute arbitrary SQL commands, potentially extracting sensitive database information including usernames, database names, and version details. The vulnerability carries a HIGH severity CVSS score of 8.8, reflecting significant confidentiality impact with network-based attack vectors requiring no authentication or user interaction. The Open ISES Project appears to be an open-source emergency services information system hosted on SourceForge. The CVE record was published on May 29, 2026, with subsequent modification the same day; the vulnerability itself dates to 2018 based on the CVE identifier. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Open ISES
Product
Open ISES Project
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations operating legacy emergency services information systems, open-source software maintainers, security teams responsible for web application penetration testing, database administrators managing PHP-based applications, and incident response teams tracking unauthenticated SQL injection exposures in critical infrastructure software components.

Technical summary

The Open ISES Project 3.30A fails to sanitize user-supplied input in the tick_lat and tick_lng parameters of nearby.php before constructing SQL queries. This allows unauthenticated remote attackers to inject arbitrary SQL syntax through GET request parameters. Successful exploitation enables extraction of sensitive database metadata including usernames, database names, and version information. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements in SQL Command) and scored CVSS 4.0 8.8 (HIGH severity) based on network accessibility, low attack complexity, no required privileges or user interaction, and high confidentiality impact. The affected endpoint appears designed for geographic proximity queries, suggesting the parameters represent latitude and longitude coordinates that are improperly validated before database insertion.

Defensive priority

HIGH

Recommended defensive actions

  • Apply input validation and parameterized queries to tick_lat and tick_lng parameters in nearby.php
  • Implement prepared statements or ORM frameworks to eliminate SQL injection vectors
  • Conduct code review of all database-interacting endpoints in The Open ISES Project
  • Deploy Web Application Firewall rules to detect and block SQL injection patterns targeting geographic coordinate parameters
  • Remove or restrict access to The Open ISES Project 3.30A if patches are unavailable, given the software's age and maintenance status
  • Monitor database query logs for anomalous patterns indicative of SQL injection attempts
  • Review database user privileges to enforce least privilege principles and limit impact of successful injection attacks

Evidence notes

Vulnerability confirmed through official CVE record and NVD entry. Exploit-DB reference 45645 provides technical disclosure. VulnCheck advisory provides additional analysis. SourceForge project page and download link confirm software origin. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, with high confidentiality impact and low integrity impact. CWE-89 (SQL Injection) classified as primary weakness.

Official resources

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requ