Cyber Resilience

CVE-2018-25272

CriticalPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2018-25272 is a critical-severity Inadequate Encryption Strength (CWE-326) vulnerability in Elba (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2018-25272 is a remote code execution vulnerability affecting ELBA5 version 5.8.0. The flaw enables attackers to obtain database credentials and execute arbitrary commands with SYSTEM-level permissions by connecting to the database using default connector credentials, decrypting the DBA password, and leveraging mechanisms such as the xp_cmdshell stored procedure or adding backdoor users to the BEDIENER table. It is associated with CWE-326 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants full control over the system, including arbitrary command execution at the highest privilege level, potentially leading to complete compromise of the affected ELBA5 instance and its underlying database.

Advisories and references, including those from VulnCheck detailing the remote code execution via database access, the vendor site at elba.at, and a proof-of-concept exploit on Exploit-DB (45905), provide further technical details. Practitioners should consult these for patch availability or mitigation guidance specific to ELBA5 deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands…

more

via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Unauthenticated remote exploitation of database service using default connector credentials and password decryption flaw enables initial access (T1190), credential collection (T1212), and privilege escalation to SYSTEM for arbitrary command execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-36379Shared CWE-326
CVE-2026-33488Shared CWE-326
CVE-2024-54089Shared CWE-326
CVE-2026-28377Shared CWE-326
CVE-2026-41860Shared CWE-326
CVE-2026-33361Shared CWE-326
CVE-2025-68703Shared CWE-326
CVE-2026-44351Shared CWE-326
CVE-2026-33512Shared CWE-326
CVE-2026-44523Shared CWE-326

Affected Assets

Elba
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the known flaw in ELBA5 5.8.0 directly prevents remote code execution exploitation.

prevent

Prohibiting default connector credentials blocks the initial unauthenticated database access required for the attack chain.

prevent

Restricting least functionality by disabling xp_cmdshell and unnecessary database procedures prevents arbitrary command execution with SYSTEM privileges.

References