PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25400 Open ISES CVE debrief

CVE-2018-25400 documents an unauthenticated SQL injection vulnerability in The Open ISES Project version 3.30A. The flaw exists in the ajax/form_post.php endpoint, where the 'id' parameter fails to properly sanitize user input, allowing attackers to inject arbitrary SQL commands via crafted GET requests. Successful exploitation enables extraction of sensitive database information including schema names and other data without authentication. The vulnerability carries a HIGH severity CVSS score of 8.8. The Open ISES Project appears to be an open-source emergency services information system hosted on SourceForge. The CVE record was published on May 29, 2026, with subsequent modification the same day; the vulnerability itself dates to 2018 based on the CVE identifier. Multiple source references are available including the project homepage, download location, an Exploit-DB entry, and a VulnCheck advisory.

Vendor
Open ISES
Product
Open ISES Project
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations operating The Open ISES Project 3.30A for emergency services information management; security teams responsible for protecting critical infrastructure applications; database administrators managing backend systems for public safety software deployments.

Technical summary

The ajax/form_post.php endpoint in The Open ISES Project 3.30A contains an SQL injection vulnerability in the 'id' parameter. The application constructs SQL queries using unsanitized user input from GET requests, enabling attackers to inject malicious SQL payloads. This allows unauthenticated remote attackers to execute arbitrary SQL commands, extract database schema information, and access sensitive data. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements in SQL Command).

Defensive priority

HIGH

Recommended defensive actions

  • Apply input validation and parameterized queries to the 'id' parameter in ajax/form_post.php
  • Implement prepared statements to prevent SQL injection attacks
  • Review and sanitize all user-supplied input in database query construction
  • Consider web application firewall (WAF) rules to detect and block SQL injection attempts
  • Audit database access logs for suspicious query patterns indicative of exploitation
  • If patching is unavailable, restrict network access to the affected application
  • Monitor for unauthorized database schema enumeration or data extraction attempts

Evidence notes

Vulnerability confirmed through official CVE record and NVD entry. Exploit-DB reference 45645 and VulnCheck advisory provide technical details. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact. CWE-89 (SQL Injection) classified as primary weakness.

Official resources

2026-05-29T16:16:19.627Z