CVE-2018-25272
Remote Code Execution in ELBA5 5.8.0 via Database Credential Exposure
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elba | elba5 | to 5.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-326 | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive database credentials and the ability for attackers to execute arbitrary commands with SYSTEM level permissions.
Such access can lead to full system compromise, data theft, data manipulation, installation of backdoors, and persistent unauthorized control over the affected system.
Can you explain this vulnerability to me?
The vulnerability in ELBA5 5.8.0 is a remote code execution flaw that allows attackers to gain unauthorized access to database credentials and execute arbitrary commands with SYSTEM level permissions.
Attackers can connect to the database using default connector credentials, decrypt the DBA password, and then execute commands through the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions, leading to full system compromise.
Such unauthorized access and control over sensitive data could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
The ability to add backdoor users and execute commands remotely undermines the confidentiality, integrity, and availability of data, potentially leading to non-compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious connections to the ELBA5 database on port 2640 using the default connector credentials (username: connector, password: connector).
Monitoring for unusual database queries that attempt to decrypt the DBA password or execute the xp_cmdshell stored procedure can also indicate exploitation attempts.
Commands to detect this activity may include network monitoring tools to observe connections on port 2640 and database query logs to identify suspicious SQL commands.
- Use netstat or similar tools to check for active connections on port 2640: netstat -an | findstr 2640
- Monitor database logs for execution of xp_cmdshell or unusual insertions into the BEDIENER table.
- Check for presence of unknown users such as a backdoor user named "HACKER" in the BEDIENER table.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating ELBA5 to a version later than 5.8.0, such as ELBA5 version 5.8.2, which contains fixes and improvements.
Change default connector database credentials to strong, unique passwords to prevent unauthorized access.
Restrict network access to the ELBA5 database port (2640) to trusted hosts only.
Disable or restrict use of the xp_cmdshell stored procedure if it is not required.
Regularly audit database users and remove any unauthorized or suspicious accounts, especially backdoor users like "HACKER".