cbcvebase.
CVE-2018-9245
published 2018-04-22

CVE-2018-9245: The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page…

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.12%
89.5th percentile
The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection vulnerability in the User ID and password fields that allows users to bypass the login page and execute remote code on the operating system.

Affected

1 ranges
VendorProductVersion rangeFixed in
ericssonlgipecs_nms

Detection & IOCsextracted from sources · hover to see the quote

path/nms/php/module/main/main_login.php
path/nms/php/module/main/main_start.php
path/nms/php/module/init/module_init.php
commandpasswd=1' or 1=1--
  • Detect SQL injection login bypass attempts targeting the iPECS NMS login endpoint via POST to /nms/php/module/main/main_login.php with a passwd field containing classic SQLi payload '1' or 1=1--'
  • Monitor POST requests to /nms/php/module/main/main_start.php with command=nms_start; this endpoint is abused post-authentication (via SQLi bypass) to dump cleartext database credentials due to incorrect access control
  • Monitor POST requests to /nms/php/module/init/module_init.php with command=init_configuration and db_user/db_pwd parameters populated; this is the credential harvesting step that extracts NMS admin credentials using previously dumped database credentials
  • Flag HTTP requests carrying the cookie mainTab_selectedChild=sysinfoTab combined with POST bodies to the three NMS PHP paths as a multi-stage exploitation sequence indicator
  • Presence of the output file ipecsnms_dump.txt on disk may indicate successful exploitation and credential dumping from an iPECS NMS host
  • ·The exploit targets Ericsson-LG iPECS NMS version A.1Ac and possibly earlier versions; the vendor did not respond to notification, so no patch confirmation is available from the source
  • ·The exploit was tested only on Windows 2008 R2 x64; detection coverage on other OS deployments of iPECS NMS is unconfirmed

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.