Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2018-25357 -- CVSS 9.8 Vulnerability Briefing

CVE-2018-25357 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2018-25357 is a remote code execution vulnerability in Dolibarr ERP/CRM version 7.0.3, exploitable by unauthenticated attackers through the application's installation or configuration interface.

Technical Detail

The flaw exists in the handling of the db_name parameter, which fails to sanitize user-supplied input before incorporating it into PHP execution context, allowing an attacker to inject arbitrary PHP code. No authentication is required to trigger the vulnerability, meaning any network-accessible instance is exposed without precondition. Successful exploitation results in full remote code execution under the web server process, granting an attacker the ability to read, write, or delete files, execute system commands, and pivot further into the hosting environment.

Exploitation Status

This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. No known public exploit code has been confirmed at this time, and exploit maturity is assessed as none. Despite the absence of confirmed weaponized tooling, the unauthenticated nature and critical CVSS score of 9.8 make this a high-priority patching target regardless of current exploitation evidence.

Who Is Targeting This

Confirmed (ATTAX-verified): TA577 (origin unknown, motivation unknown), Lazarus Group (DPRK, nation-state motivation), APT29 (Russia, nation-state motivation), and Moonstone Sleet (DPRK, nation-state motivation) have all been associated with this vulnerability at high confidence. The involvement of multiple nation-state actors alongside a financially or criminally motivated group like TA577 suggests broad interest in this vulnerability across threat actor categories. No additional reported or research-inferred actor associations are on record beyond those confirmed above.

What To Do

Organizations running Dolibarr ERP/CRM should immediately verify whether any instances are running version 7.0.3 or earlier and upgrade to a current supported release. If immediate patching is not feasible, restrict network access to the Dolibarr installation interface at the perimeter or host firewall level, ensuring the application is not exposed to untrusted networks. Detection efforts should focus on anomalous HTTP POST requests to installation or setup endpoints containing PHP syntax patterns in parameter values, as well as unexpected process spawning from the web server user account. Given the confirmed interest from nation-state actors including Lazarus Group and APT29, organizations in government, defense, finance, and critical infrastructure sectors should treat this as an elevated priority even absent confirmed active exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →