cbcvebase.
CVE-2018-10285
published 2018-04-22

CVE-2018-10285: The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might…

PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.23%
95.9th percentile
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
ericssonlgipecs_nms

Detection & IOCsextracted from sources · hover to see the quote

path/nms/php/module/main/main_login.php
path/nms/php/module/main/main_start.php
path/nms/php/module/init/module_init.php
commandpasswd=1' or 1=1--
commandcommand=nms_start
commandcommand=init_configuration
  • Detect POST requests to /nms/php/module/main/main_login.php containing SQL injection payload in the 'passwd' field (e.g., patterns matching OR-based bypass: `1' or 1=1--`).
  • Detect POST requests to /nms/php/module/init/module_init.php with 'command=init_configuration' and explicit 'db_user'/'db_pwd' parameters in the body, indicating credential reuse after a dump.
  • Flag requests carrying the cookie 'mainTab_selectedChild=sysinfoTab' combined with POST bodies to NMS PHP endpoints, as this is the static cookie used throughout the exploit chain.
  • Monitor for creation of the file 'ipecsnms_dump.txt' on disk, which is the output artifact written by the exploit containing raw credential dump output.
  • The application does not use session IDs for access control; any POST to sensitive PHP endpoints without a session token should be treated as suspicious and potentially exploitative.
  • ·The exploit targets HTTP (not HTTPS), meaning credentials are transmitted in cleartext and the application is also vulnerable to MitM interception.
  • ·The affected version is A.1Ac but earlier versions may also be vulnerable; detections should not be scoped exclusively to A.1Ac.
  • ·The exploit was tested on Windows 2008 R2 x64; the NMS server OS context should be considered when deploying host-based detections.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.