CVE-2018-25257
Published: 12 April 2026
Summary
CVE-2018-25257 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2018-25257 is an SQL injection vulnerability (CWE-89) affecting Adianti Framework versions 5.5.0 and 5.6.0. The flaw exists in the SystemProfileForm component, where the name field in the profile edit endpoint fails to properly sanitize user input, allowing authenticated users to inject malicious SQL code into database queries. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability disruption.
An attacker with low-privilege authenticated access can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting crafted SQL statements through the vulnerable name field, the attacker can manipulate database queries to modify user credentials, such as elevating their own account to administrative privileges and potentially extracting sensitive data.
Advisories and related resources, including a proof-of-concept exploit published on Exploit-DB (https://www.exploit-db.com/exploits/46217) and a detailed advisory from Vulncheck (https://www.vulncheck.com/advisories/adianti-framework-and-sql-injection-via-profile), document the issue but do not specify patches or mitigations in the available descriptions. Security practitioners should review these references for remediation guidance and consider upgrading to unaffected versions of the framework.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-21768
Vulnerability details
Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to…
more
modify user credentials and gain administrative access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection directly enables remote authenticated exploitation of a web framework component (T1190), resulting in unauthorized account modification/privilege escalation (T1098, T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of unsanitized user inputs like the name field in SystemProfileForm to prevent SQL injection exploitation.
Enforces restrictions on information inputs to block malicious SQL code from being accepted in the profile edit endpoint.
Mandates identification, reporting, and correction of flaws such as this SQL injection vulnerability via patching or framework upgrades.