CVE-2018-25395: Kados R10 GreenBee SQL Injection via update_feature.php
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of boards_buttons/update_feature.php. The feature_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version.
Security readout for executives and security teams
Plain-English summary
Kados R10 GreenBee has an unauthenticated SQL injection flaw in a feature update endpoint. An attacker who can reach the application could query the database and expose sensitive data. The CVSS 4.0 score is 8.8, so internet-facing deployments should be treated as high priority.
Executive priority
Treat this as a high-priority exposure review for any Kados R10 GreenBee deployment. The business risk is unauthorized database access from an unauthenticated web request. If internet-facing and unsupported, isolate or retire quickly while checking vendor guidance.
Technical view
CVE-2018-25395 is CWE-89 in Kados R10 GreenBee. The feature_id parameter in boards_buttons/update_feature.php is concatenated into SQL without sanitization, enabling arbitrary SQL query execution. Sources describe data extraction impact, including database user, database name, and DBMS version. No vendor patch is identified in the supplied sources.
Likely exposure
Exposure is most likely where Kados R10 GreenBee is deployed and the vulnerable update_feature.php route is reachable by unauthenticated users, especially from the internet. The supplied sources do not provide deployment prevalence or CPE data.
Exploitation context
A public ExploitDB reference exists, so defenders should assume practical exploitation knowledge is available. The supplied data does not show CISA KEV listing or confirmed active exploitation. The issue is network-accessible, low complexity, and needs no privileges or user interaction.
Researcher notes
The evidence supports unauthenticated SQL injection and high confidentiality impact. Affected scope is limited in the bundle to Kados R10 GreenBee. Patch status, exploitation in the wild, and product lifecycle status are not established by the supplied sources.
Mitigation direction
Check Kados and VulnCheck guidance for patch or mitigation status.
Remove public access to affected Kados R10 GreenBee instances where possible.
Restrict the vulnerable route to trusted networks or authenticated users.
Prioritize retirement or isolation if no fixed release is available.
Monitor database and web logs for suspicious unauthenticated access.
Validation and detection
Inventory systems for Kados R10 GreenBee deployments.
Confirm whether boards_buttons/update_feature.php is reachable without authentication.
Review web logs for unusual requests involving feature_id.
Check database logs for unexpected queries from the web application account.
Verify whether any vendor update or compensating control is applied.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-89: Database access and collection lookup
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-89 · source CWE mapping
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.