CVE-2018-25379

HIGH

Collectric CMU 1.0 SQL Injection via lang Parameter

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25379. PoCs published by Simon Brannstrom.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in Collectric CMU 1.0 via the 'lang' GET parameter, with payloads for boolean-based blind and time-based blind attacks. It also includes hard-coded credentials for SSH, MySQL, and the web portal.

Description

Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Attackers can inject SQL code through the lang parameter in login requests to extract sensitive information from the database using time-based blind techniques.

Exploits (1)

exploitdb WORKING POC
by Simon Brannstrom · textwebappshardware
https://www.exploit-db.com/exploits/45446

The exploit demonstrates a SQL injection vulnerability in Collectric CMU 1.0 via the 'lang' GET parameter, with payloads for boolean-based blind and time-based blind attacks. It also includes hard-coded credentials for SSH, MySQL, and the web portal.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Collectric CMU 1.0
No auth needed
Prerequisites: Access to the login page of Collectric CMU
devstral-2 · analyzed May 25, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-45446
https://www.exploit-db.com/exploits/45446
Product product
Official Product Homepage
http://ourenergy.se/
Third Party Advisory third-party-advisory
VulnCheck Advisory: Collectric CMU 1.0 SQL Injection via lang Parameter
https://www.vulncheck.com/advisories/collectric-cmu-sql-injection-via-lang-parameter

Scores

CVSS v3 8.2
EPSS 0.0039
EPSS Percentile 30.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Ourenergy/Collectric CMU 1.0
Published May 25, 2026
Tracked Since May 25, 2026