PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25379 Ourenergy CVE debrief

CVE-2018-25379 documents a boolean-based blind SQL injection vulnerability in Collectric CMU 1.0, specifically within the `lang` parameter of the authentication interface. The vulnerability permits unauthenticated remote attackers to manipulate database queries during login, enabling extraction of sensitive information via time-based blind injection techniques. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) reflects network accessibility with low attack complexity, no privileges required, and high confidentiality impact. The vulnerability was published to CVE on 2026-05-25 and modified on 2026-05-26. The NVD entry currently carries a 'Deferred' status. Vendor attribution remains uncertain: the reference domain candidate 'Ourenergy' suggests possible vendor association, though confidence is low and the entry requires review. No Known Exploited Vulnerability (KEV) listing exists.

Vendor
Ourenergy
Product
Collectric CMU
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-25
Original CVE updated
2026-05-26
Advisory published
2026-05-25
Advisory updated
2026-05-26

Who should care

Organizations operating Collectric CMU 1.0 installations; security teams monitoring legacy industrial control or energy management systems; database administrators responsible for application-layer access controls.

Technical summary

The vulnerability exists in the `lang` parameter of Collectric CMU 1.0's authentication mechanism. Attackers can inject SQL payloads without authentication, leveraging boolean-based blind techniques to infer database contents through timing differences. The injection point during login processing creates a direct path to sensitive data extraction without requiring error messages or verbose output.

Defensive priority

HIGH

Recommended defensive actions

  • Review authentication input validation for the `lang` parameter in Collectric CMU deployments
  • Implement parameterized queries or prepared statements for all database interactions
  • Apply principle of least privilege to database accounts used by the application
  • Monitor for anomalous login request patterns involving the `lang` parameter
  • Verify vendor attribution with Ourenergy domain contacts if product deployment confirmed
  • Await NVD status resolution from 'Deferred' to determine final severity assessment

Evidence notes

Primary evidence derives from NVD modified feed with VulnCheck as disclosure source. CVSS 4.0 vector supplied. CPE criteria absent from source. Vendor identification flagged for review due to low-confidence domain inference.

Official resources

Disclosure sources include VulnCheck and Exploit-DB. The VulnCheck advisory provides technical analysis of the SQL injection vector.