CVE-2018-25416
Description
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country parameter to extract sensitive database information including usernames, database names, and version details.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AiOPMSD Final 1.0.0 has an unauthenticated SQL injection in country.php, enabling attackers to extract sensitive database information via crafted GET requests.
Vulnerability
AiOPMSD Final 1.0.0 (build 4, released September 2017) contains a SQL injection vulnerability in country.php. The application fails to sanitize user-supplied input in the country GET parameter before including it in SQL queries. This allows attackers to inject arbitrary SQL commands. No authentication is required to reach the vulnerable code path, and the condition is trivially exploitable by sending a crafted HTTP request to country.php?country=.... The affected version is AiOPMSD Final 1.0.0 (build 4) as described in the project's changelog [2]. Reference [1] provides the download link, and [3] confirms the vulnerability details.
Exploitation
An attacker can exploit this vulnerability from an unauthenticated network position. They send a GET request to country.php with a malicious SQL payload in the country parameter, for example: UNION SELECT .... The attacker does not require any prior access, user interaction, or special privileges. The request is processed immediately, and the attacker receives the database query results in the response. The process is straightforward and requires only a web browser or a simple scripting tool [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries on the backend MySQL database. The attacker can extract sensitive data such as usernames, database names, table contents, and database version details. This constitutes a breach of confidentiality, potentially exposing user credentials, application data, and database schema. The attacker does not gain direct file system access or remote code execution, but the SQL injection provides significant ability to compromise the application's data integrity and confidentiality [1][3].
Mitigation
No official fix is available for CVE-2018-25416 as of the publication date (2026-05-30). The affected software (AiOPMSD Final 1.0.0) appears to be a final release with no subsequent patches released [2]. Users should consider upgrading to an alternative, actively maintained application. If upgrading is not possible, implement input validation and parameterized queries for all user-controlled parameters, and apply web application firewall (WAF) rules to block common SQL injection payloads. However, these workarounds may not fully mitigate the risk. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1][2][3].
AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4News mentions
0No linked articles in our index yet.