CVE-2018-25428: Paroiciel 11.20 SQL Injection Vulnerability

Paroiciel 11.20 is susceptible to an SQL injection vulnerability, as identified by CVE-2018-25428. This flaw allows unauthenticated attackers to inject malicious SQL code through the tRecIdListe parameter in HTTP GET requests sent to the trec.php endpoint. Discovered in 2026, exploitation enables attackers to execute arbitrary SQL queries, potentially leading to the extraction of sensitive database information, including table and column names. Given the ease of exploitation (unauthenticated access), this vulnerability presents a significant risk for systems running Paroiciel 11.20. Defenders should prioritize detection and remediation efforts to mitigate the risk of unauthorized data access and potential compromise.

Attack Chain

1. The attacker identifies a Paroiciel 11.20 instance accessible over the network.
2. The attacker crafts a malicious HTTP GET request targeting the trec.php endpoint.
3. The crafted GET request includes the tRecIdListe parameter with an injected SQL payload designed to extract information.
4. The Paroiciel application processes the request without proper sanitization of the tRecIdListe parameter.
5. The injected SQL code is executed against the Paroiciel database.
6. The database returns the results of the injected SQL query, which could include table names, column names, and other sensitive data.
7. The attacker receives the database response containing the extracted information.
8. The attacker analyzes the extracted data to identify further targets for exploitation or exfiltration.

Impact

Successful exploitation of CVE-2018-25428 allows unauthenticated attackers to execute arbitrary SQL queries on the Paroiciel 11.20 database. This can lead to the extraction of sensitive information, potentially including usernames, passwords, customer data, and other confidential information stored within the database. The compromised data can then be used for further malicious activities, such as identity theft, financial fraud, or extortion. The lack of authentication required for exploitation significantly increases the risk.

Recommendation

• Deploy the Sigma rule Detect CVE-2018-25428 Exploitation — Paroiciel SQL Injection via tRecIdListe to your SIEM to identify potential exploitation attempts targeting the trec.php endpoint.
• Inspect web server logs for GET requests to trec.php containing suspicious characters or SQL keywords in the tRecIdListe parameter, as detailed in the rule.
• Consider implementing a Web Application Firewall (WAF) rule to block requests containing SQL injection payloads in the tRecIdListe parameter.
• Apply available patches or upgrade to a secure version of Paroiciel to remediate CVE-2018-25428.