CVE-2018-25333

Vulnerability

Overview

The Nordex N149/4.0-4.5 wind turbine web server version 4.0 (and likely up to 4.5) contains a SQL injection vulnerability in the login parameter of /php/login.php. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, allowing an attacker to inject arbitrary SQL commands. This is a classic CWE-89 SQL injection flaw [3].

Exploitation

Details

An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the login endpoint with malicious SQL payloads in the login field. A proof-of-concept exploit demonstrates that sending a payload such as -1' and 6=3 or 1=1+(SELECT ...) triggers a database error revealing internal information, including the database path and table structure [2]. The attack requires no authentication and can be performed remotely over the network, with a CVSS v4 vector indicating network-based, low-complexity exploitation [3].

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, including user credentials and configuration details. The vulnerability also enables authentication bypass, granting unauthorized access to the web server's administrative interface. The CVSS v3 score of 8.2 (High) reflects the high confidentiality impact and the lack of required privileges [3].

Mitigation

As of the publication date (May 2026), no official patch has been confirmed. The vendor's website does not mention a security update [1]. Users are advised to restrict network access to the web server, implement a web application firewall (WAF) with SQL injection rules, and monitor for any vendor-issued patches. The vulnerability is listed in the Exploit Database, indicating public exploit availability [2].