CVE-2018-25152
CSRF in Ecessa Edge EV150 Allows Unauthorized Admin Account Creation
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ecessa | edge_ev150 | 10.7.4 |
| lighttpd | lighttpd | 1.4.35 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in Ecessa Edge EV150 version 10.7.4 and other affected versions. It allows an attacker to create administrative superuser accounts without authentication by tricking a logged-in user into visiting a malicious web page. The attacker crafts a malicious form that submits a POST request to the device's web management interface endpoint `/cgi-bin/pl_web.cgi/util_configlogin_act`, which adds a superuser account with arbitrary credentials. This happens because the application does not properly validate HTTP requests, enabling unauthorized administrative actions. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain unauthorized administrative access to the affected device by adding superuser accounts remotely without authentication. This compromises the security of the device, potentially allowing the attacker to control device settings, intercept or manipulate network traffic, and disrupt normal operations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring for suspicious POST requests to the endpoint /cgi-bin/pl_web.cgi/util_configlogin_act on the device's web management interface. Specifically, look for HTTP POST requests that include parameters such as user_superuser4=on and user_enabled4=on, which indicate attempts to create superuser accounts. Network traffic capture tools like tcpdump or Wireshark can be used to filter for such requests. For example, using tcpdump: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' and then searching for POST requests to /cgi-bin/pl_web.cgi/util_configlogin_act. Additionally, checking the device's user account list for unexpected administrative users can help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the device's web management interface to trusted networks only, implementing network-level controls such as firewall rules to block unauthorized access, and disabling or limiting the use of the vulnerable web interface if possible. Additionally, monitor and remove any unauthorized administrative user accounts created via this vulnerability. Applying any available patches or updates from the vendor that address this CSRF vulnerability is also critical once they become available. [1]