CVE-2018-25338: Zechat SQLi Allows Unauthenticated Database Extraction
The National Vulnerability Database (NVD) reports CVE-2018-25338, a high-severity SQL injection vulnerability in Zechat version 1.5. This flaw resides within the hashtag parameter, enabling unauthenticated attackers to extract sensitive database information.
Attackers can leverage union-based SQL injection techniques to enumerate and retrieve critical database schema details, including table and column names. With a CVSS score of 8.2 (High), this vulnerability poses a significant risk for data exfiltration, as an attacker requires no prior authentication to exploit it.
While the NVD does not specify affected products beyond Zechat 1.5, any organization utilizing this chat application should prioritize immediate remediation. The ease of exploitation combined with the potential for full database information disclosure makes this a critical security gap.
What This Means For You
- If your organization uses Zechat 1.5, you are exposed. This isn't theoretical; an unauthenticated attacker can dump your database content. Identify all instances of Zechat 1.5 immediately and either patch or take them offline until a fix is deployed. Audit logs for any suspicious activity related to the `hashtag` parameter.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2018-25338: Zechat SQLi in hashtag parameter
title: CVE-2018-25338: Zechat SQLi in hashtag parameter
id: scw-2026-05-17-ai-1
status: experimental
level: high
description: |
Detects exploitation attempts against Zechat 1.5's SQL injection vulnerability (CVE-2018-25338) in the hashtag parameter. The rule looks for specific API endpoints and SQL keywords commonly used in union-based SQL injection attacks to extract database information.
author: SCW Feed Engine (AI-generated)
date: 2026-05-17
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25338/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/get_user_info'
cs-uri-query|contains:
- 'hashtag='
cs-uri-query|contains:
- 'UNION'
cs-uri-query|contains:
- 'SELECT'
cs-uri-query|contains:
- 'database()'
cs-uri-query|contains:
- 'information_schema'
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25338 | SQLi | Zechat 1.5 |
| CVE-2018-25338 | SQLi | hashtag parameter |
| CVE-2018-25338 | SQLi | unauthenticated database information extraction |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 17, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...