CVE-2018-25156
Unknown Unknown - Not Provided
CSRF Vulnerability in Teradek Cube 7.3.6 Enables Admin Password Change

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: VulnCheck

Description
Teradek Cube 7.3.6 contains a cross-site request forgery vulnerability that allows attackers to change administrative passwords without proper request validation. Attackers can craft a malicious web page with a hidden form to submit password change requests to the device's system configuration interface.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25156
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
teradek cube 7.3.6
lighttpd lighttpd 1.4.31
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25156 is a Cross-Site Request Forgery (CSRF) vulnerability in Teradek Cube firmware version 7.3.6. It allows attackers to change the administrative password without proper validation of the request. An attacker can trick a logged-in user into visiting a malicious website that submits hidden forms to the device's web interface, causing it to execute unauthorized password changes without the user's consent. [1, 2]

Impact Analysis

This vulnerability can lead to unauthorized administrative access to the Teradek Cube device by allowing attackers to change the administrator password remotely. This compromises the security of the device, potentially allowing attackers to control the device, disrupt video encoding/decoding operations, and access sensitive network resources connected to the device. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the device's internal CGI endpoint, such as /cgi-bin/system.cgi, especially those attempting to change administrative passwords without proper validation. Network traffic analysis tools can be used to inspect for suspicious POST requests with parameters related to password changes. Since the device lacks CSRF protections, look for unexpected or unauthorized POST requests originating from user browsers or external sources targeting the device's web interface. Specific commands are not provided in the resources, but using tools like tcpdump or Wireshark to filter HTTP POST requests to /cgi-bin/system.cgi could help detect exploitation attempts. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the Teradek Cube's web interface to trusted networks or users only, disabling remote web administration if possible, and educating users to avoid visiting untrusted or malicious websites while logged into the device. Since the vulnerability arises from lack of CSRF protections, applying any available firmware updates or patches from the vendor is recommended if available. If no patch exists, network-level controls such as firewall rules to limit access to the device's management interface can reduce risk. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25156. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart