CVE-2018-25192

HIGH

GPS Tracking System 2.12 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25192. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This is a functional SQL injection exploit for GPS Tracking System 2.12, demonstrating an authentication bypass via a crafted 'username' parameter in the login form. The PoC includes a raw HTTP request with a classic SQLi payload ('or 1=1) that bypasses authentication and redirects to the admin panel.

Description

GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit crafted POST requests to the login.php endpoint with SQL injection payloads in the username field to gain unauthorized access without valid credentials.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45816

This is a functional SQL injection exploit for GPS Tracking System 2.12, demonstrating an authentication bypass via a crafted 'username' parameter in the login form. The PoC includes a raw HTTP request with a classic SQLi payload ('or 1=1) that bypasses authentication and redirects to the admin panel.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: GPS Tracking System 2.12
No auth needed
Prerequisites: network access to the target web application · login.php endpoint accessible
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45816

Scores

CVSS v3 8.2
EPSS 0.0028
EPSS Percentile 19.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Published Mar 06, 2026
Tracked Since Mar 06, 2026