cbcvebase.
CVE-2018-7841
published 2019-05-22

CVE-2018-7841: A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-06
Exploited in the wild
EPSS
72.49%
99.4th percentile
A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.

Affected

2 ranges
VendorProductVersion rangeFixed in
schneider-electricu.motion_builder
u.motionu.motion_builder_software_version_1.3.4

Detection & IOCsextracted from sources · hover to see the quote

path/smartdomuspad/modules/reporting/track_import_export.php
path/umotion/modules/reporting/track_import_export.php
commandop=export&language=english&interval=1&object_id=`sleep 10`
commandop=export&language=english&interval=1&object_id=`ping -c 1 {{interactsh-url}}`
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; startswith; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027454; rev:5; metadata:created_at 2019_06_11, cve CVE_2018_7841, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; startswith; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027455; rev:5; metadata:created_at 2019_06_11, cve CVE_2018_7841, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|60|
  • The exploit targets the HTTP POST parameter 'object_id' in track_import_export.php via backtick-wrapped OS command injection (backtick = hex 0x60). Detection should look for POST requests to this endpoint with '&object_id=|60|' in the body.
  • The attack is unauthenticated — no valid session or credentials are required to exploit the vulnerability. Any POST to the endpoint should be treated as suspicious.
  • This CVE is a bypass of the prior fix for CVE-2018-7765; detections for CVE-2018-7765 may not catch this variant.
  • The vulnerability has been observed exploited by Mirai botnet variants. Correlate detections with known Mirai C2 infrastructure.
  • OOB/DNS callback detection (e.g., via interactsh) can confirm exploitation: a successful exploit will trigger an outbound DNS/ICMP ping to an attacker-controlled host.
  • Successful exploitation returns HTTP 200 with Content-Type: application/octet-stream. Combine with URI and body matching for high-fidelity detection.
  • ·Two different base paths have been observed for the vulnerable endpoint: '/smartdomuspad/modules/reporting/track_import_export.php' (PoC) and '/umotion/modules/reporting/track_import_export.php' (Nuclei template). Detection rules should account for both path prefixes or match only on the filename.
  • ·The Snort/ET rules match the URI ending with '/track_import_export.php' using 'endswith', which covers both known path variants without requiring a full-path match.
  • ·The product has been retired and no patch will be issued; the vendor's recommended action is full removal of the software.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.