PatchSiren cyber security CVE debrief
CVE-2018-25408 Openises CVE debrief
CVE-2018-25408 documents a path traversal vulnerability in The Open ISES Project version 3.30A, specifically within the `ajax/download.php` endpoint. The flaw allows unauthenticated remote attackers to download arbitrary files from the affected system by supplying directory traversal sequences (`../`) through the `filename` parameter. This can lead to unauthorized access to sensitive files including application configuration files and system files. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and carries a HIGH severity CVSS score of 8.7. The CVE was published on 2026-05-30T16:17:01.437Z with a status of 'Received' in the NVD. The vendor attribution remains uncertain with low confidence, derived from reference domain analysis pointing to Exploit Db as a candidate source. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Openises
- Product
- Open ISES Project
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-30
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-30
- Advisory updated
- 2026-05-30
Who should care
Organizations running The Open ISES Project 3.30A, particularly those exposing the application to untrusted networks. Security teams responsible for web application security, incident response personnel monitoring for file exfiltration attempts, and system administrators managing legacy PHP applications should prioritize assessment and remediation.
Technical summary
The Open ISES Project 3.30A fails to properly sanitize user-supplied input in the `filename` parameter of `ajax/download.php`. An unauthenticated attacker can inject directory traversal sequences to escape the intended download directory and read arbitrary files accessible to the web server process. The vulnerability is network-exploitable with low attack complexity, requires no privileges or user interaction, and results in high confidentiality impact with no direct integrity or availability impact per the CVSS 4.0 vector.
Defensive priority
HIGH
Recommended defensive actions
- Restrict or disable access to the ajax/download.php endpoint if not required for operations
- Implement strict input validation on the filename parameter to reject path traversal sequences such as ../ and encoded variants
- Apply canonical path resolution and enforce a whitelist of permitted download directories
- Upgrade to a patched version of The Open ISES Project when available from the vendor
- Monitor web server logs for suspicious download requests containing traversal patterns
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal attempts against download endpoints
Evidence notes
The vulnerability description is sourced from the official NVD record with CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The weakness is identified as CWE-22. Reference materials include the project homepage, SourceForge download page, Exploit-DB entry 45655, and a VulnCheck advisory. Vendor attribution is marked as low confidence with needsReview flag set to true.
Official resources
The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory-1