CVE-2018-15138
published 2018-08-15CVE-2018-15138: Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.
PriorityP178high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.85%
95.8th percentile
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ericssonlg | ipecs_nms | — | — |
| ericssonlg | ipecs_nms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data↗
url/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg↗
- →Detect LFI exploitation attempts against iPECS NMS by monitoring GET requests to /ipecs-cm/download with 'filename' or 'filepath' parameters containing directory traversal sequences (../). ↗
- →A null-byte injection variant is used in the filepath parameter (%00.jpg) to bypass file extension checks — monitor for %00 in query parameters targeting /ipecs-cm/download. ↗
- →Successful exploitation returns HTTP 200 with /etc/passwd content matching 'root:[x*]:0:0' — alert on this pattern in HTTP responses from the iPECS NMS application. ↗
- →The known fixed filepath anchor used in exploitation is /home/wms/www/data — presence of this string in HTTP requests to /ipecs-cm/download is a strong indicator of CVE-2018-15138 exploitation. ↗
- ·Two distinct attack vectors exist: one traverses via the 'filename' parameter with a fixed 'filepath', and the other traverses via the 'filepath' parameter using a null-byte (%00) extension bypass. Detection rules should cover both patterns independently. ↗
- ·The template uses stop-at-first-match across two requests, meaning real-world exploitation may only generate one of the two request patterns — do not rely on seeing both requests to confirm exploitation. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j4qq-7qwm-w2p2: Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=
ghsa_unreviewed·2022-05-14
CVE-2018-15138 [HIGH] CWE-22 GHSA-j4qq-7qwm-w2p2: Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.
VulnCheck
ericssonlg ipecs_nms Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 7.5
CVE-2018-15138 [HIGH] ericssonlg ipecs_nms Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ericssonlg ipecs_nms Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Ericsson-LG iPECS NMS 30M allows directory traversal via ipecs-cm/download?filename=../ URIs.
Affected: ericssonlg ipecs_nms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2018-15138; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-04&host_type=src&vulnerability=cve-2018-15138; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-201
No detection rules found.
Nuclei
LG-Ericsson iPECS NMS 30M - Local File Inclusion
nuclei·CVSS 7.5
CVE-2018-15138 [HIGH] LG-Ericsson iPECS NMS 30M - Local File Inclusion
LG-Ericsson iPECS NMS 30M - Local File Inclusion
Ericsson-LG iPECS NMS 30M allows local file inclusion via ipecs-cm/download?filename=../ URIs.
Template:
id: CVE-2018-15138
info:
name: LG-Ericsson iPECS NMS 30M - Local File Inclusion
author: 0x_Akoko
severity: high
description: Ericsson-LG iPECS NMS 30M allows local file inclusion via ipecs-cm/download?filename=../ URIs.
impact: |
Successful exploitation of this vulnerability could allow an attacker to read sensitive files on the target system, potentially leading to unauthorized access or information disclosure.
remediation: |
Apply the latest security patches or updates provided by the vendor to mitigate this vulnerability.
reference:
- https://cxsecurity.com/issue/WLB-2018080070
- https://www.exploit-db.com/exploits/45167/
- https:/
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project
bugzilla·2018-04-11·CVSS 5.0
CVE-2017-15138 [MEDIUM] CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project
CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project
It is reported that as a result of cluster-reader having view access on all builds in all projects, the cluster reader is able to escalate to also create builds in all projects since they have access to the secret key for the webhook.
A project viewer has the same ability to escalate but is obviously scoped to the single project.
The main problem is that we have confidential information (webhook tokens) that lives in a non-confidential resource.
Discussion:
Acknowledgments:
Name: Jessica Forrester (Red Hat)
---
This was fixed in the release of OpenShift 3.9 via RHBA-2018:0489
---
Are 3.2 and 3.7 affected as well?
---
This issue also affects all OCP 3.x versions prior to 3
2018-08-15
Published
Exploited in the wild