CVE-2018-25392

HIGH

MaxOn ERP Software 8.x-9.x SQL Injection via nomor Parameter

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25392. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary The exploit demonstrates a SQL injection vulnerability in MaxOn ERP Software 8.x-9.x via the 'nomor', 'user', and 'jenis' parameters in the log_activity function. The provided HTTP requests show successful injection payloads that trigger SQL errors, confirming the vulnerability.

Description

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.

Exploits (1)

exploitdb WORKING POC

by Ihsan Sencan · textwebappsphp

https://www.exploit-db.com/exploits/45605

View Code ZIP pw:eip

The exploit demonstrates a SQL injection vulnerability in MaxOn ERP Software 8.x-9.x via the 'nomor', 'user', and 'jenis' parameters in the log_activity function. The provided HTTP requests show successful injection payloads that trigger SQL errors, confirming the vulnerability.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: MaxOn ERP Software 8.x-9.x

No auth needed

Prerequisites: Access to the target application's log_activity endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 29, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-45605

https://www.exploit-db.com/exploits/45605

Product product

Official Product Homepage

http://www.talagasoft.com

Product product

Product Reference

http://demo.maxonerp.com/

Third Party Advisory third-party-advisory

VulnCheck Advisory: MaxOn ERP Software 8.x-9.x SQL Injection via nomor Parameter

https://www.vulncheck.com/advisories/maxon-erp-software-8-x-9-x-sql-injection-via-nomor-parameter

Scores

CVSS v3 7.1

EPSS 0.0027

EPSS Percentile 18.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

Talagasoft/MaxOn ERP 8.0

Talagasoft/MaxOn ERP 9.0

Published May 29, 2026

Tracked Since May 29, 2026