CVE-2018-25129
Unknown Unknown - Not Provided
Insecure Direct Object Reference in SOCA Access Control Exposes Credentials

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like Get_Permissions_From_DB.php and Ac10_ReadSortCard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25129
EUVD
EUVD-2025-205351
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
soca access_control_system 4.0
apache http_server 2.2.22
soca_technology_co.,_ltd soca_access_control_system 141007
soca_technology_co.,_ltd soca_access_control_system 170000
php php 5.4.13
soca_technology_co.,_ltd soca_access_control_system 180612
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in SOCA Access Control System 180612 is an insecure direct object reference (IDOR) flaw that allows attackers to bypass authorization controls and access sensitive user credentials. Authenticated users can retrieve password hashes via the Get_Permission_From_DB.php endpoint, while unauthenticated attackers can obtain card numbers and PINs through the Ac10_ReadSortCard CGI endpoint. Additionally, a phpinfo.php page exposes detailed PHP configuration information, aiding further exploitation. These issues arise from improper access control and insufficient input validation. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive user credentials such as password hashes and card PINs. Attackers can gain access to authenticated user password hashes and unauthenticated access to card numbers and PINs, which may be default values like '0000'. This exposure can compromise the security of the access control system, potentially allowing attackers to bypass physical security measures, impersonate users, and gain unauthorized entry. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoints that disclose sensitive information. For authenticated detection, use a curl command with a valid PHP session cookie to access the endpoint Get_Permission_From_DB.php, which returns JSON data containing user IDs and password hashes. For example: curl --cookie "PHPSESSID=your_session_id" http://target/Get_Permission_From_DB.php. For unauthenticated detection, send a crafted POST request to the Ac10_ReadSortCard CGI endpoint at Reader_Action.cgi/Ac10_ReadSortCard, which returns JSON data with card numbers and PINs. Additionally, check for the presence of a phpinfo.php page that exposes PHP configuration details. These commands help verify if the system is vulnerable by confirming if sensitive data is accessible through these endpoints. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoints such as Get_Permission_From_DB.php and Reader_Action.cgi/Ac10_ReadSortCard by implementing proper authorization checks and access controls. Disable or restrict access to the phpinfo.php page to prevent exposure of PHP configuration information. Additionally, review and update the application to validate user input properly and prevent insecure direct object references (IDOR). Applying patches or updates from the vendor, if available, is also recommended to address these security flaws. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart