Scan free
HIGHCVE-2018-25257CVSS 7.1

CVE-2018-25257: Adianti SQL Injection - v5.5.0

Platform

php

Component

adanti

Fixed in

5.5.1

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026
View on NVD
Save

CVE-2018-25257 is a SQL Injection vulnerability discovered in the Adianti Framework. This flaw allows authenticated users to inject malicious SQL code into database queries, potentially leading to unauthorized data access and modification. The vulnerability affects versions 5.5.0 and 5.6.0 of the framework. As of the last update, no official patch has been released to address this issue.

Impact and Attack Scenarios

CVE-2018-25257 in the Adianti Framework (versions 5.5.0 and 5.6.0) presents a significant SQL injection risk. An authenticated attacker can exploit this flaw by injecting malicious SQL code into the 'name' field of the SystemProfileForm. This manipulation allows alteration of database queries, potentially resulting in credential modification, including gaining administrative access. The potential impact is complete system takeover, sensitive data exfiltration, and service disruption. The lack of an official fix exacerbates the situation, requiring alternative mitigation measures. This vulnerability is particularly concerning in environments where database security is critical.

Exploitation Context

The vulnerability is exploited through the user profile edit endpoint. An authenticated attacker (i.e., possessing a valid account in the system) can send an HTTP POST request to the edit profile endpoint, manipulating the value of the 'name' field to include malicious SQL code. This SQL code is executed directly on the database, allowing the attacker to modify data, create new users with administrative privileges, or even execute operating system commands (depending on the database configuration). The attacker's prior authentication simplifies exploitation, as they do not need to compromise login credentials to leverage the vulnerability. The simplicity of exploitation makes this vulnerability particularly dangerous.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.03% (8% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentadanti
Vendoradianti
Affected rangeFixed in
5.5.0 – 5.5.05.5.1

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 42 days since disclosure

Mitigation and Workarounds

Given that no official fix is provided by the Adianti Framework developer, mitigating CVE-2018-25257 requires a proactive and multifaceted approach. The most immediate measure is to upgrade to a framework version that has patched this vulnerability (if available). In the absence of an update, implement rigorous input validation and sanitization on the 'name' field of the SystemProfileForm to prevent SQL code injection. Additionally, apply the principle of least privilege, ensuring user accounts have only the necessary permissions to perform their tasks. Constant monitoring of the database for suspicious activity is crucial for detecting and responding to potential attacks. Finally, consider implementing a Web Application Firewall (WAF) for an additional layer of protection.

How to fix

Update the Adianti Framework to a patched version that resolves the SQL injection (SQL Injection) vulnerability in the profile form. Refer to the official framework documentation or release notes for specific instructions on how to perform the update.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-25257 — SQL Injection in Adianti Framework?

Versions 5.5.0 and 5.6.0 are the confirmed vulnerable versions.

Am I affected by CVE-2018-25257 in Adianti Framework?

No, as of today, there is no official fix provided by the Adianti Framework developer.

How do I fix CVE-2018-25257 in Adianti Framework?

Implement input validation and sanitization, apply the principle of least privilege, and monitor the database for suspicious activity. Consider a WAF.

Is CVE-2018-25257 being actively exploited?

Any data stored in the database, including user credentials, personal information, and business data.

Where can I find the official Adianti Framework advisory for CVE-2018-25257?

If possible, updating to a patched version is the best option. If not, implementing mitigations is crucial.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs