CVE-2018-25196

HIGH

ServerZilla 1.0 - Unauthenticated SQL Injection via Email Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25196. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in ServerZilla 1.0 via the 'email' parameter in reset.php. The provided HTTP request includes a crafted payload that attempts to manipulate the SQL query using OR NOT logic.

Description

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to reset.php with malicious email values containing SQL operators to bypass authentication and extract sensitive database information.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45817

This exploit demonstrates a SQL injection vulnerability in ServerZilla 1.0 via the 'email' parameter in reset.php. The provided HTTP request includes a crafted payload that attempts to manipulate the SQL query using OR NOT logic.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: ServerZilla 1.0
No auth needed
Prerequisites: Access to the reset.php endpoint
devstral-2 · analyzed Mar 06, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/45817

Scores

CVSS v3 8.2
EPSS 0.0028
EPSS Percentile 19.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Published Mar 06, 2026
Tracked Since Mar 06, 2026