CVE-2018-25151

Root

Cause CVE-2018-25151 describes a cross-site request forgery (CSRF) vulnerability in Ecessa WANWorx WVR-30 devices running versions before 10.7.4. The web interface fails to validate the origin of HTTP requests, allowing an attacker to forge requests without the victim's consent [1][2]. The application does not implement anti-CSRF tokens or other request verification mechanisms, making it susceptible to this type of attack.

Exploitation

To exploit this vulnerability, an attacker crafts a malicious web page containing a hidden HTML form. This form, when loaded by an authenticated administrator, automatically submits a POST request to the device's /cgi-bin/pl_web.cgi/util_configlogin_act endpoint. The form includes parameters to create a new superuser account, such as setting a username (e.g., "root") and disabling the password field [2]. The attack relies on social engineering to trick the administrator into visiting the prepared page while their session is active.

Impact

If exploited, the attacker can add a new administrative user with superuser privileges to the device [2]. This grants the attacker full control over the WANWorx appliance, including the ability to modify configurations, disrupt network operations, or use the device as a pivot point for further network attacks. Because the forged request is made from the administrator's authenticated session, no direct authentication bypass is needed by the attacker.

Mitigation

Ecessa addressed this vulnerability in firmware version 10.7.4. Users are advised to update their devices to this or a later version [1][2]. No workarounds are documented; however, limiting administrative access to trusted networks and educating administrators about phishing risks can reduce the likelihood of exploitation.