cbcvebase.
CVE-2018-11742
published 2018-12-26

CVE-2018-11742: NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
14.34%
96.2th percentile
NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Password Storage in the Web UI.

Affected

1 ranges
VendorProductVersion rangeFixed in
necuniverge_sv9100_webpro_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://NEC-VICTIM-IP/Home.htm?sessionId=12959&GOTO(8)
path/Home.htm
commandGET /Home.htm?sessionId=<ID>&GOTO(8) HTTP/1.1
otherServer: Henry
  • Detect sequential/incremental sessionId parameter enumeration in HTTP GET requests to /Home.htm — the exploit iterates sessionId values in the range 1000–15000 to brute-force a valid authenticated session.
  • Alert on HTTP GET requests containing both the 'sessionId' query parameter and the 'GOTO(8)' parameter targeting /Home.htm, which is the specific URI used to dump all user accounts and cleartext passwords.
  • Use the Shodan banner 'Server: Henry' to identify publicly exposed NEC Univerge Sv9100 WebPro instances on the internet as potential targets.
  • Detect HTTP responses containing the string 'Programming Password Setup' — the exploit uses this as a confirmation string that a valid authenticated session has been hijacked and credential data is being returned.
  • Detect HTTP responses containing the string 'WebPro' to fingerprint the vulnerable NEC Univerge WebPro application before exploitation.
  • ·The sessionId brute-force range used in the exploit is 1000–15000 (numeric integers), meaning the session space is extremely small and entirely predictable — not cryptographically random.
  • ·Passwords are stored and transmitted in cleartext within the Web UI, meaning any session hijack via the predictable sessionId immediately yields plaintext credentials for all user accounts.
  • ·The attack is entirely unauthenticated and remote — no prior access is required; an attacker only needs network access to TCP port 80 on the target device.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.