CVE-2018-25144
Authentication Bypass in Microhard IPn4G Enables Arbitrary File Access
Publication date: 2025-12-24
Last updated on: 2026-02-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microhard_systems | ipn4g | 1.1.0 |
| microhard_systems | ipn4g | * |
| microhard_systems | ipn4gii | * |
| microhard_systems | ipn4gb | * |
| microhard_systems | vip4gb | * |
| microhard_systems | dragon-lte | * |
| microhard_systems | bullet-3g | * |
| microhard_systems | vip4g-wifi-n | * |
| microhard_systems | ipn3gii | * |
| microhard_systems | bullet-lte | * |
| microhard_systems | bulletplus | * |
| microhard_systems | httpd-ssl | 1.0.0 |
| microhard_systems | vip4g | * |
| microhard_systems | ipn3gb | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including exposure of sensitive system information, privilege escalation, denial of service, security bypass, and data manipulation. An attacker can read sensitive files like '/etc/passwd', modify configuration or credential files (e.g., adding new users to 'htpasswd'), or delete files. It also enables Cross-Site Request Forgery (CSRF) attacks to inject unauthorized changes, such as adding a root user with a known password hash, thereby compromising device integrity and confidentiality. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the hidden script `system-editor.sh` on the device's web interface and by monitoring for GET or POST requests containing the parameters `path`, `savefile`, `edit`, or `delfile`. You can use network monitoring tools to capture such requests. Additionally, testing can be done by sending authenticated requests to the device's web interface targeting `system-editor.sh` with these parameters to see if arbitrary file operations are possible. For example, using curl commands to send crafted requests to the device to read or modify files can help detect the vulnerability. Example commands include: - Reading a file: curl -k -u <user>:<password> "https://<device-ip>/system-editor.sh?path=/etc&edit=passwd" - Deleting a file: curl -k -u <user>:<password> "https://<device-ip>/system-editor.sh?delfile=/path/to/file" Monitoring logs for such requests or unexpected file changes can also help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the device's web interface to trusted and authenticated users only, as exploitation requires authentication. Disable or restrict access to the hidden `system-editor.sh` script if possible. Implement strict network access controls such as IP/MAC filtering and firewall rules to limit who can reach the device's web interface. Monitor for suspicious GET and POST requests containing the vulnerable parameters (`path`, `savefile`, `edit`, `delfile`). If available, update the device firmware to a version that addresses this vulnerability or apply vendor-provided patches. As no vendor response was noted, consider isolating the device from untrusted networks until a fix is available. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to read, modify, or delete arbitrary files on affected Microhard Systems devices, potentially exposing sensitive system and configuration information. Such unauthorized access and manipulation of data could lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring system integrity. Therefore, exploitation of this vulnerability could negatively impact compliance with these common standards and regulations by compromising confidentiality and integrity of data. [1, 2]
Can you explain this vulnerability to me?
CVE-2018-25144 is an authentication bypass vulnerability in Microhard Systems IPn4G and other related 3G/4G cellular gateway devices. It exists in a hidden and undocumented shell script called 'system-editor.sh' that acts as a file editor or filesystem browser on the device's web interface. The vulnerability arises because the script improperly sanitizes user inputs passed through GET and POST parameters such as 'path', 'savefile', 'edit', and 'delfile'. This allows an authenticated attacker to arbitrarily read, modify, or delete files on the device by exploiting these unsanitized parameters. [1, 2]