CVE-2018-10285
published 2018-04-22CVE-2018-10285: The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.23%
95.9th percentile
The Ericsson-LG iPECS NMS A.1Ac web application uses incorrect access control mechanisms. Since the app does not use any sort of session ID, an attacker might bypass authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ericssonlg | ipecs_nms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /nms/php/module/main/main_login.php containing SQL injection payload in the 'passwd' field (e.g., patterns matching OR-based bypass: `1' or 1=1--`). ↗
- →Detect POST requests to /nms/php/module/init/module_init.php with 'command=init_configuration' and explicit 'db_user'/'db_pwd' parameters in the body, indicating credential reuse after a dump. ↗
- →Flag requests carrying the cookie 'mainTab_selectedChild=sysinfoTab' combined with POST bodies to NMS PHP endpoints, as this is the static cookie used throughout the exploit chain. ↗
- →Monitor for creation of the file 'ipecsnms_dump.txt' on disk, which is the output artifact written by the exploit containing raw credential dump output. ↗
- →The application does not use session IDs for access control; any POST to sensitive PHP endpoints without a session token should be treated as suspicious and potentially exploitative. ↗
- ·The exploit targets HTTP (not HTTPS), meaning credentials are transmitted in cleartext and the application is also vulnerable to MitM interception. ↗
- ·The affected version is A.1Ac but earlier versions may also be vulnerable; detections should not be scoped exclusively to A.1Ac. ↗
- ·The exploit was tested on Windows 2008 R2 x64; the NMS server OS context should be considered when deploying host-based detections. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-04-22
Published