CVE-2018-25152
Unknown Unknown - Not Provided
CSRF in Ecessa Edge EV150 Allows Unauthorized Admin Account Creation

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25152
EUVD
EUVD-2025-205338
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ecessa edge_ev150 10.7.4
lighttpd lighttpd 1.4.35
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) in Ecessa Edge EV150 version 10.7.4 and other affected versions. It allows an attacker to create administrative superuser accounts without authentication by tricking a logged-in user into visiting a malicious web page. The attacker crafts a malicious form that submits a POST request to the device's web management interface endpoint `/cgi-bin/pl_web.cgi/util_configlogin_act`, which adds a superuser account with arbitrary credentials. This happens because the application does not properly validate HTTP requests, enabling unauthorized administrative actions. [1]

Impact Analysis

This vulnerability can allow an attacker to gain unauthorized administrative access to the affected device by adding superuser accounts remotely without authentication. This compromises the security of the device, potentially allowing the attacker to control device settings, intercept or manipulate network traffic, and disrupt normal operations. [1]

Detection Guidance

You can detect this vulnerability by monitoring for suspicious POST requests to the endpoint /cgi-bin/pl_web.cgi/util_configlogin_act on the device's web management interface. Specifically, look for HTTP POST requests that include parameters such as user_superuser4=on and user_enabled4=on, which indicate attempts to create superuser accounts. Network traffic capture tools like tcpdump or Wireshark can be used to filter for such requests. For example, using tcpdump: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then searching for POST requests to /cgi-bin/pl_web.cgi/util_configlogin_act. Additionally, checking the device's user account list for unexpected administrative users can help detect exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the device's web management interface to trusted networks only, implementing network-level controls such as firewall rules to block unauthorized access, and disabling or limiting the use of the vulnerable web interface if possible. Additionally, monitor and remove any unauthorized administrative user accounts created via this vulnerability. Applying any available patches or updates from the vendor that address this CSRF vulnerability is also critical once they become available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25152. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart