{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sql-1.8.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25412"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sql 1.8.2"],"_cs_severities":["critical"],"_cs_tags":["cve","file-upload","rce"],"_cs_type":"advisory","_cs_vendors":["Delta"],"content_html":"\u003cp\u003eDelta Sql 1.8.2 is vulnerable to an arbitrary file upload vulnerability (CVE-2018-25412). An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to the \u003ccode\u003edocs_upload.php\u003c/code\u003e endpoint. The request must contain multipart form data specifically designed to bypass upload restrictions. Successful exploitation allows the attacker to upload arbitrary files, including PHP files, to the server\u0026rsquo;s upload directory. This can lead to remote code execution (RCE) as the uploaded files can be accessed and executed by the web server. The impact is significant due to the ease of exploitation and the potential for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Delta Sql 1.8.2 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP file containing arbitrary code to be executed on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request with multipart form data, targeting the \u003ccode\u003edocs_upload.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request is designed to bypass file type and size restrictions. The filename extension is set to \u003ccode\u003e.php\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted POST request to the vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious PHP file to the upload directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded PHP file via a web browser, triggering its execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, potentially gaining full control of the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25412 allows an unauthenticated attacker to execute arbitrary code on the affected server. This can lead to complete system compromise, data theft, defacement, or denial-of-service. The lack of authentication makes this vulnerability particularly dangerous. Given the high CVSS score (9.8), immediate action is required to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or upgrades for Delta Sql to address CVE-2018-25412.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload validation on the server to prevent arbitrary file uploads. Block uploads to \u003ccode\u003edocs_upload.php\u003c/code\u003e via the \u0026ldquo;Detect CVE-2018-25412 Exploitation — Malicious File Upload\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003edocs_upload.php\u003c/code\u003e using the \u0026ldquo;Detect CVE-2018-25412 Exploitation — Suspicious POST Request\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T16:17:51Z","date_published":"2026-05-30T16:17:51Z","id":"https://feed.craftedsignal.io/briefs/2026-05-delta-sql-upload/","summary":"Delta Sql version 1.8.2 contains an arbitrary file upload vulnerability (CVE-2018-25412) that allows unauthenticated attackers to upload malicious files via crafted POST requests, potentially leading to remote code execution.","title":"CVE-2018-25412: Delta Sql 1.8.2 Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-delta-sql-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Sql 1.8.2","version":"https://jsonfeed.org/version/1.1"}