CVE-2018-25150
Description
Ecessa ShieldLink SL175EHQ 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a hidden form to add a superuser account by tricking a logged-in administrator into loading the page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Ecessa ShieldLink SL175EHQ 10.7.4 allows unauthenticated attackers to create superuser accounts by tricking an admin into loading a crafted page.
Analysis
The Ecessa ShieldLink SL175EHQ (firmware version 10.7.4) is affected by a cross-site request forgery (CSRF) vulnerability in the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint. The application performs sensitive actions—such as creating administrative users—via HTTP POST requests without including anti-CSRF tokens or other validity checks [2]. This means that any authenticated administrator's browser can be coerced into submitting a forged request without the administrator's knowledge or consent.
Exploitation
An attacker can exploit this vulnerability by hosting a malicious web page containing a hidden HTML form that submits a POST request to the vulnerable device (example uses 127.0.0.1 as the target, but in a real attack it would be the device's IP). The form sets parameters to create a new superuser account (e.g., username h4x0r with password 123123) [2]. If a logged-in administrator visits the attacker's page, the form auto-submits, and the new account is created. No authentication or prior knowledge is required on the attacker's part; the attack only requires tricking an active administrator.
Impact
Successful exploitation grants the attacker a fully privileged administrative (superuser) account on the affected ShieldLink appliance. An attacker could then log in, modify firewall or SD-WAN settings, exfiltrate network data, or disrupt connectivity—effectively gaining full control of the device and the traffic passing through it [2]. The CSRF vector means the attacker never needs to authenticate; they simply leverage the administrator's existing session.
Mitigation
Ecessa (now part of OneNet Global) has not released a public patch for this specific CVE as of the publication date [1]. Affected firmware versions include 10.7.4, 10.6.9, 10.6.5.2, 10.5.4, 10.2.24, and 9.2.24 [2]. Workarounds include restricting administrator access to trusted networks only, using separate browser profiles for device management, and educating administrators not to browse untrusted sites while logged into the appliance.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =10.7.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.