CVE-2018-25152

Vulnerability

Overview

CVE-2018-25152 describes a cross-site request forgery (CSRF) vulnerability in the Ecessa Edge EV150 appliance running firmware version 10.7.4. The application fails to perform any validity checks on HTTP requests, allowing an attacker to trick an authenticated user's browser to perform actions with administrative privileges [2]. The root cause is the lack of CSRF tokens or other origin verification mechanisms on sensitive endpoints.

ExploitationAn attacker can craft a malicious web page containing a hidden form that submits a POST request to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint [2]. The form includes parameters to add a new superuser account (e.g., username h4x0r with password 123123) by setting user_superuser4 to on [2]. The attack requires the victim to be logged into the Ecessa interface while visiting the attacker's page; no authentication is needed for the attacker themselves [1].

ImpactSuccessful exploitation allows the attacker to create a new administrative user with full superuser privileges [2]. The attacker can then log in with those credentials and gain complete control over the device, including modifying network configuration, firewall rules, and potentially pivoting to internal networks [1].

MitigationEcessa has not released a patch for this vulnerability; the affected versions include 10.7.4, 10.6.9, 10.6.5.2, 10.5.4, 10.2.24, and 9.2.24 [2]. Users should restrict access to the management interface to trusted networks, implement additional authentication layers, or consider upgrading to a supported product line [1].