CVE-2018-7765
published 2018-07-03CVE-2018-7765: The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying…
PriorityP276high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.92%
85.3th percentile
The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| schneider-electric | u.motion_builder | < 1.3.4 | 1.3.4 |
| schneider_electric_se | u.motion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQL injection attempts against track_import_export.php by monitoring POST requests to the path with ORDER BY payloads in the object_id parameter. A response containing 'Invalid argument supplied for foreach' indicates the column count boundary was exceeded, confirming SQLi. ↗
- →The vulnerability is unauthenticated — no session or credentials are required. Monitor for POST requests to track_import_export.php from unauthenticated sources (no valid session cookie). ↗
- →The object_id parameter is the injection point; alert on SQL metacharacters (single quotes, ORDER BY, comment sequences -- -) or OS command injection characters (backticks, semicolons) in this parameter. ↗
- ·Two different base paths are observed in the wild for the vulnerable script: /umotion/modules/reporting/ and /smartdomuspad/modules/reporting/ — detection rules should cover both path prefixes. ↗
- ·CVE-2018-7765 (SQL injection) and CVE-2018-7841 (OS command injection bypass) both target the same script and parameter (track_import_export.php / object_id); detections for one should be extended to cover the other. ↗
- ·The product has been retired and no patch will be published; the recommended action is removal of the installation, not patching. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Schneider Electric U.motion Builder (Update A)
cisa_ics·2017-06-29·CVSS 9.8
[CRITICAL] Schneider Electric U.motion Builder (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Schneider Electric U.motion Builder (Update A)
Last RevisedJanuary 08, 2019
Alert CodeICSA-17-180-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 10.0
- ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
- Vendor: Schneider Electric
- Equipment: U.motion Builder
--------- Begin Update A Part 1 of 5 --------
- Vulnerabilities: SQL Injection, Path Traversal, Improper Authentication, Use of Hard-Coded Password, Improper Access Control, Denial of Service, Information Disclosure, Improper Input Validation, Improper Control of Generation of Code
----
GHSA
GHSA-4j9f-8935-x53p: The vulnerability exists within processing of track_import_export
ghsa_unreviewed·2022-05-14
CVE-2018-7765 [HIGH] CWE-89 GHSA-4j9f-8935-x53p: The vulnerability exists within processing of track_import_export
The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
VulnCheck
Schneider Electric u.motion_builder Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2018·CVSS 8.8
CVE-2018-7765 [HIGH] Schneider Electric u.motion_builder Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Schneider Electric u.motion_builder Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
Affected: Schneider Electric u.motion_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-7765; https://tracker.crowdsec.net/cves/CVE-2018-7765
No detection rules found.
Exploit-DB
Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection
exploitdb·2019-05-14·CVSS 8.8
CVE-2018-7841 [HIGH] Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection
Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection
---
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
Product: Schneider Electric U.Motion Builder
Vendor URL: www.schneider-electric.com
Type: OS Command Injection [CWE-78]
Date found: 2018-11-15
Date published: 2019-05-13
CVSSv3 Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE: CVE-2018-7841
2. CREDITS
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
Schneider Electric U.Motion Builder 1.3.4 and below
4. INTRODUCTION
Comfort, Security and Energy Efficiency – these are the qualities that you as
home owner expect from a futureproof building management solution.
(from the ven
Nuclei
Schneider Electric U.motion Builder - SQL Injection
nuclei·CVSS 8.8
CVE-2018-7765 [HIGH] Schneider Electric U.motion Builder - SQL Injection
Schneider Electric U.motion Builder - SQL Injection
The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
Template:
id: CVE-2018-7765
info:
name: Schneider Electric U.motion Builder - SQL Injection
author: daffainfo
severity: high
description: |
The vulnerability exists within processing of track_import_export.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. The underlying SQLite database query is subject to SQL injection on the object_id input parameter.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data theft, modification, or deletion.
2018-07-03
Published
Exploited in the wild