CVE-2018-25150
CSRF in Ecessa ShieldLink SL175EHQ Allows Admin Account Creation
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ecessa | shieldlink | 10.7.4 |
| ecessa | shieldlink | 9.2.24 |
| ecessa | shieldlink | 10.5.4 |
| ecessa | shieldlink | 10.6.5.2 |
| ecessa | shieldlink | 10.2.24 |
| ecessa | shieldlink | 10.6.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2018-25150 is a Cross-Site Request Forgery (CSRF) vulnerability in Ecessa ShieldLink devices running firmware versions prior to 10.7.4. It allows attackers to create administrative user accounts without authentication by tricking a logged-in administrator into loading a malicious web page. This page contains a hidden form that submits a request to the device's web interface to add a superuser account, exploiting the lack of verification of the authenticity of HTTP requests in the device's web application. [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized administrative access to Ecessa ShieldLink devices. An attacker can add a superuser account without authentication, allowing them to gain full control over the device. This can compromise the security and management of WAN optimization controllers, potentially leading to network disruptions, data interception, or manipulation of network traffic. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the device's internal configuration CGI script `/cgi-bin/pl_web.cgi/util_configlogin_act` that attempt to create or modify user accounts without proper authentication. Specifically, look for suspicious POST requests containing parameters that add superuser accounts (e.g., username 'h4x0r'). Network traffic inspection tools or web server logs can be used to identify such requests. Commands to check web server logs or capture traffic might include: `tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` to capture HTTP traffic, or `grep '/cgi-bin/pl_web.cgi/util_configlogin_act' /var/log/httpd/access_log` to find relevant requests in logs. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Ecessa ShieldLink device firmware to version 10.7.4 or later, where this CSRF vulnerability is fixed. Additionally, restrict access to the device's web interface to trusted networks and users only, implement network-level protections such as firewall rules to block unauthorized HTTP requests to the device, and educate administrators to avoid visiting untrusted web pages while logged into the device's management interface. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to create administrative superuser accounts without authentication, potentially leading to unauthorized access and control over the device. This unauthorized access could result in compromised data integrity and security, which may violate compliance requirements of standards like GDPR and HIPAA that mandate strict access controls and protection of sensitive data. However, specific impacts on compliance are not detailed in the provided resources. [2]