A critical (CVSS 9.8) arbitrary file upload flaw in Delta SQL 1.8.2 lets unauthenticated attackers drop PHP files via docs_upload.php and execute them for full remote code execution on the host.
What Is It
CVE-2018-25412 is an arbitrary file upload vulnerability in Delta SQL 1.8.2. The docs_upload.php endpoint accepts POST requests with crafted multipart form data without authentication, allowing an attacker to write attacker-controlled files, including PHP, into the upload directory. Because uploaded PHP is reachable and executable on the server, this directly yields remote code execution. The flaw is classified as CWE-306 (Missing Authentication for Critical Function).
Why It Matters
The CVSS 3.1 base score is 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); the CVSS 4.0 secondary score from VulnCheck is 9.3 CRITICAL. Exploitation requires no credentials, no user interaction, and only a single HTTP request reachable over the network. A working exploit has been public on Exploit-DB (entry 45685) since 2018, meaning the barrier to weaponization is effectively zero. Successful exploitation gives the attacker code execution in the context of the web server, enabling data theft, lateral movement, or use of the host as a staging point. CISA KEV does not currently list this CVE, so there is no government confirmation of active in-the-wild exploitation at this time.
What's Vulnerable
- Product: Delta SQL (deltasql), distributed via SourceForge
- Affected version: 1.8.2
- Vulnerable component:
docs_upload.phphandler - Attack vector: Unauthenticated network-reachable HTTP POST with multipart form data
The NVD record does not enumerate affected CPEs beyond the version named in the description.
Patch Status
The supplied source material does not reference a vendor patch, fixed version, or formal advisory beyond the VulnCheck disclosure. Delta SQL is hosted on SourceForge; operators should treat any internet-exposed 1.8.2 instance as compromised-until-proven-otherwise, remove public access to docs_upload.php, and consider migrating off the product if no maintained release is available. CISA KEV has not issued a required-action deadline for this CVE.