CVE-2018-25151
CSRF in Ecessa WANWorx WVR-30 Enables Admin Account Creation
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ecessa | wanworx | 10.7.4 |
| ecessa | wanworx_wvr-30 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in Ecessa WANWorx WVR-30 devices running firmware versions below 10.7.4. It allows an attacker to perform administrative actions without validating the authenticity of the requests. Specifically, an attacker can craft a malicious web page with a hidden form that, when visited by an authenticated administrator, submits a request to create a new superuser account on the device. This happens because the device's web interface accepts HTTP requests to perform admin actions without proper request validation. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain full administrative control over the affected device by creating a new superuser account without authorization. With such access, the attacker can disrupt network operations, change configurations, and potentially compromise the security and reliability of the network managed by the device. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized creation of superuser accounts on the Ecessa WANWorx WVR-30 device. Specifically, look for HTTP POST requests to the endpoint `/cgi-bin/pl_web.cgi/util_configlogin_act` that include parameters for creating new user accounts with superuser privileges. Network traffic analysis tools or web server logs can be used to identify such suspicious requests. For example, using tools like tcpdump or Wireshark, you can filter HTTP POST requests to that CGI endpoint. A sample tcpdump command might be: `tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/cgi-bin/pl_web.cgi/util_configlogin_act'`. Additionally, checking the device's user account configuration for unexpected superuser accounts (e.g., username 'h4x0r') can help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Ecessa WANWorx WVR-30 device firmware to version 10.7.4 or later, where this CSRF vulnerability is fixed. Until the upgrade can be applied, restrict access to the device's web interface to trusted networks and users only, and avoid browsing untrusted websites from devices with authenticated sessions to the WANWorx device. Additionally, monitor and remove any unauthorized superuser accounts created by this exploit. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to gain unauthorized administrative access by creating a superuser account without request validation. Such unauthorized access could lead to compromise of network operations and potentially sensitive data. This situation may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information. Therefore, the vulnerability poses a risk to compliance by undermining the security controls necessary to protect data and maintain authorized access. [1]