cbcvebase.
CVE-2018-16946
published 2018-09-12

CVE-2018-16946: LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report)…

PriorityP262high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
9.35%
94.8th percentile
LG LNB*, LND*, LNU*, and LNV* smart network camera devices have broken access control. Attackers are able to download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) without authenticating. These backup files contain user credentials and configuration information for the camera device. An attacker is able to discover the backup filename via reading the system logs or report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate to the admin account with the admin password.

Affected

18 ranges
VendorProductVersion rangeFixed in
lglnb5110_firmware1310250 – 1508190
lglnb5320_firmware1310250 – 1508190
lglnb5320r_firmware1310250 – 1508190
lglnb7210_firmware1310250 – 1508190
lglnd3230r_firmware1310250 – 1508190
lglnd5110_firmware1310250 – 1508190
lglnd5110r_firmware1310250 – 1508190
lglnd5220r_firmware1310250 – 1508190
lglnd7210_firmware1310250 – 1508190
lglnd7210r_firmware1310250 – 1508190
lglnu3230r_firmware1310250 – 1508190
lglnu5110r_firmware1310250 – 1508190
lglnu5320r_firmware1310250 – 1508190
lglnu7210r_firmware1310250 – 1508190
lglnv5110r_firmware1310250 – 1508190
lglnv5320r_firmware1310250 – 1508190
lglnv7210_firmware1310250 – 1508190
lglnv7210r_firmware1310250 – 1508190

Detection & IOCsextracted from sources · hover to see the quote

path/updownload/t.report
path/download.php?file=
path/httpapi?GetDeviceInformation
cookieAuthorization: Basic YWRtaW46YWRtaW4=
filenamebackup_<YYMMDD>_<model_version>.config
filenamemipsca.db
  • Detect unauthenticated GET requests to /updownload/t.report — no session/auth cookie required; any 200 response leaks log/report data including model ID and firmware version usable for backup filename construction.
  • Detect unauthenticated GET requests to /download.php?file=backup_*.config — the backup file contains plaintext user credentials and device configuration (stored in mipsca.db SQLite database inside the archive).
  • Alert on HTTP Basic Auth header value 'YWRtaW46YWRtaW4=' (base64 for admin:admin) sent to LG camera endpoints — exploit first tries default credentials before brute-forcing backup filenames.
  • Monitor for sequential/rapid unauthenticated requests to /download.php?file=backup_<date>_<version>.config iterating over dates (up to 3650 days back) — characteristic brute-force pattern of the exploit.
  • Known vulnerable model version strings to match in backup filenames or report data: 2219.0.0.1505220, 2745.0.0.1508190, 1954.0.0.1410150, 1030.0.0.1310250.
  • ·Backup filename is date-dependent (YYMMDD) and model-version-dependent; defenders should monitor for the pattern backup_YYMMDD_<version>.config rather than a static filename.
  • ·The exploit targets LG camera model families LNB*, LND*, LNU*, and LNV* — scope detection rules to these device families to reduce false positives.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.