CVE-2018-25272

CriticalPublic PoC

Published: 22 April 2026

Published

22 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands…

via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely remediation of the known flaw in ELBA5 5.8.0 directly prevents remote code execution exploitation.

IA-5 Authenticator Management good match

prevent

Prohibiting default connector credentials blocks the initial unauthenticated database access required for the attack chain.

CM-7 Least Functionality good match

prevent

Restricting least functionality by disabling xp_cmdshell and unnecessary database procedures prevents arbitrary command execution with SYSTEM privileges.

Security SummaryAI

CVE-2018-25272 is a remote code execution vulnerability affecting ELBA5 version 5.8.0. The flaw enables attackers to obtain database credentials and execute arbitrary commands with SYSTEM-level permissions by connecting to the database using default connector credentials, decrypting the DBA password, and leveraging mechanisms such as the xp_cmdshell stored procedure or adding backdoor users to the BEDIENER table. It is associated with CWE-326 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants full control over the system, including arbitrary command execution at the highest privilege level, potentially leading to complete compromise of the affected ELBA5 instance and its underlying database.

Advisories and references, including those from VulnCheck detailing the remote code execution via database access, the vendor site at elba.at, and a proof-of-concept exploit on Exploit-DB (45905), provide further technical details. Practitioners should consult these for patch availability or mitigation guidance specific to ELBA5 deployments.

Details

CWE(s): CWE-326

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: backdoor

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of database service using default connector credentials and password decryption flaw enables initial access (T1190), credential collection (T1212), and privilege escalation to SYSTEM for arbitrary command execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.elba.at
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/45905
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/elba5-remote-code-execution-via-database-access
disclosure@vulncheck.com