cbcvebase.
CVE-2018-11741
published 2018-12-26

CVE-2018-11741: NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs.

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.89%
96.8th percentile
NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session IDs that result in Account Information Disclosure via Home.htm?sessionId=#####&GOTO(8) URIs.

Affected

1 ranges
VendorProductVersion rangeFixed in
necuniverge_sv9100_webpro_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://NEC-VICTIM-IP/Home.htm?sessionId=12959&GOTO(8)
path/Home.htm?sessionId=#####&GOTO(8)
commandGET /Home.htm?sessionId=<id>&GOTO(8) HTTP/1.1
  • Detect sequential/brute-force HTTP GET requests to /Home.htm with incrementing sessionId query parameters and the GOTO(8) directive, indicative of session enumeration against NEC Univerge Sv9100 WebPro.
  • Alert on HTTP requests containing the URI pattern '/Home.htm?sessionId=' combined with '&GOTO(8)' — this specific parameter combination is the exploit trigger for dumping all user accounts and cleartext passwords.
  • Identify NEC Univerge WebPro servers exposed to the internet by hunting for the 'Server: Henry' HTTP response header (Shodan query: 'Server Henry'), which returned 7,797 public-facing results as of Dec 1, 2018.
  • The exploit probes for the string 'WebPro' in the HTTP response body to fingerprint the vulnerable application before launching session enumeration; monitor for repeated requests to '/' followed by rapid sequential sessionId enumeration on port 80.
  • Session IDs are enumerated in the numeric range 1000–15000; a high volume of GET requests to /Home.htm with sequentially incrementing sessionId values in this range from a single source IP is a strong indicator of exploitation.
  • Successful exploitation is confirmed by the presence of the string 'Programming Password Setup' in the HTTP response body, indicating the attacker has hit a live session and retrieved account credentials.
  • ·The vulnerable session ID space is numeric and small (observed range 1000–15000), meaning brute-force enumeration is trivially fast over an unauthenticated HTTP connection on port 80. No authentication or rate-limiting is enforced by the device.
  • ·Passwords are stored and transmitted in cleartext within the Web UI (CVE-2018-11742 companion issue), meaning a successful session hijack via CVE-2018-11741 immediately yields plaintext credentials with no further decryption required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.