CVE-2018-25398

The Open ISES Project 3.30A SQL Injection via main.php

CVSS 8.8 HIGHEPSS 0.3%CWE-89

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.8EPSS 0.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

29 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Open ISES · Open ISES Project

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/45645unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://openises.sourceforge.net/https://sourceforge.net/projects/openises/files/latest/download https://www.exploit-db.com/exploits/45645 https://www.vulncheck.com/advisories/the-open-ises-project-3-30a-sql-injection-via-main-php