cbcvebase.
CVE-2018-12031
published 2018-06-07

CVE-2018-12031: Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.31%
96.7th percentile
Local file inclusion in Eaton Intelligent Power Manager v1.6 allows an attacker to include a file via server/node_upgrade_srv.js directory traversal with the firmware parameter in a downloadFirmware action.

Affected

1 ranges
VendorProductVersion rangeFixed in
eatonintelligent_power_manager

Detection & IOCsextracted from sources · hover to see the quote

url/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../etc/passwd
url/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../Windows/win.ini
url/server/node_upgrade_srv.js?action=downloadFirmware&firmware=/../../../../../../../../../../windows/System32/drivers/etc/host
path/server/node_upgrade_srv.js
yara
regex: root:.*:0:0:
  • Detect exploitation attempts by monitoring HTTP GET requests to '/server/node_upgrade_srv.js' containing the 'action=downloadFirmware' parameter combined with directory traversal sequences ('/../') in the 'firmware' parameter.
  • Successful LFI exploitation on Linux targets can be confirmed by the presence of 'root:.*:0:0:' pattern in HTTP response bodies (indicative of /etc/passwd content being returned).
  • Successful LFI exploitation on Windows targets can be confirmed by the presence of '[fonts]', '[extensions]', or '[files]' patterns in HTTP response bodies (indicative of win.ini content being returned).
  • The vulnerable endpoint requires no authentication (PR:N, UI:N per CVSS), so any unauthenticated GET request to node_upgrade_srv.js with traversal sequences should be treated as a high-confidence attack indicator.
  • ·The PoC traversal depth uses 12 levels of '../' which may vary depending on the installation path of Eaton IPM; defenders should tune traversal-depth detection rules to catch varying depths.
  • ·The vulnerability was tested on Windows, but the Nuclei template also targets Linux paths (/etc/passwd), indicating the server may run on both platforms — detection rules should cover both OS path patterns.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.