cbcvebase.
CVE-2018-7809
published 2018-11-30

CVE-2018-7809: An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.47%
82.5th percentile
An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the password delete function of the web server.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[ip]/unsecure/embedded/builtin?submit=Delete%20Password
urlhttp://[ip]/unsecure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User
path/unsecure/embedded/builtin
path/secure/embedded/builtin
path/goform/formTest
port502
commandecho -ne "\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0" | nc 192.168.238.30 502
bytes
\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0
  • Monitor HTTP GET requests to /unsecure/embedded/builtin with query parameters 'submit=Delete%20Password' or 'subhttppwd=Save+User' — these indicate unauthenticated password delete/change attempts against Modicon PLC web servers.
  • Alert on HTTP GET requests to /unsecure/embedded/builtin containing 'passwd=' parameters from unauthenticated sources, indicating CVE-2018-7811 unauthenticated password change exploitation.
  • Detect incomplete HTTP requests (missing \r\n\r\n terminator) to port 80 on Modicon devices, which trigger a ~1 minute denial of service of the web server.
  • Monitor TCP port 502 (Modbus) for the specific byte sequence \x00\xa8\x00\x00\x00\x05\x00\x5a\x00\x07\x00 which causes a complete shutdown of the Ethernet module.
  • Detect use of known default FTP credentials on Modicon devices: sysdiag/factorycast@schneider, fdrusers/sresurdf, fwupgrade/FaAmU5p2F~, loki/ZfTljublsx.
  • ·The password reset via /unsecure/embedded/builtin also resets credentials to the default USER/USER, meaning post-exploitation the device may be accessible with default credentials.
  • ·No patches exist for these vulnerabilities; Schneider Electric only recommends network-level mitigations such as ACLs and firewalls.
  • ·The password change endpoint uses HTTP GET (not POST), meaning credentials are transmitted in the URL and no anti-CSRF token is required, making CSRF attacks trivially possible.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.