CVE-2025-26186
Published: 15 July 2025
Summary
CVE-2025-26186 is a high-severity SQL Injection (CWE-89) vulnerability in Os4Ed Opensis. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26186 is a SQL injection vulnerability (CWE-89) affecting openSIS version 9.1, specifically in the Ajax.php component. A remote attacker can exploit the id parameter to execute arbitrary code. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
The attack requires network access and high attack complexity but no privileges or user interaction. A remote, unauthenticated attacker can inject malicious SQL payloads via the vulnerable parameter, leading to arbitrary code execution on the affected system.
Mitigation is addressed in a GitHub pull request for the openSIS-Classic repository at https://github.com/OS4ED/openSIS-Classic/pull/330. Security practitioners should review the vendor's site at https://www.os4ed.com/ for additional guidance and apply patches promptly to vulnerable installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21461
Vulnerability details
SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (Ajax.php) directly enables remote unauthenticated exploitation for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation of untrusted inputs like the id parameter in Ajax.php.
SI-2 ensures timely remediation of the specific flaw in openSIS v9.1 via patches from the vendor pull request.
SC-7 provides boundary protection that can inspect and block SQL injection payloads targeting the Ajax.php endpoint.