CVE-2018-14327 in EE EE40VB 4G
Summary
by MITRE
The installer for the Alcatel OSPREY3_MINI Modem component on EE EE40VB 4G mobile broadband modems with firmware before EE40_00_02.00_45 sets weak permissions (Everyone:Full Control) for the "Web Connecton\EE40" and "Web Connecton\EE40\BackgroundService" directories, which allows local users to gain privileges, as demonstrated by inserting a Trojan horse ServiceManager.exe file into the "Web Connecton\EE40\BackgroundService" directory.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/26/2025
The vulnerability identified as CVE-2018-14327 represents a critical privilege escalation flaw within the Alcatel OSPREY3_MINI Modem component installed on EE EE40VB 4G mobile broadband devices. This issue stems from improper access control configuration during the installation process, where the installer establishes directory permissions that grant excessive privileges to all local users. The affected directories "Web Connecton\EE40" and "Web Connecton\EE40\BackgroundService" are configured with Everyone:Full Control permissions, creating a fundamental security weakness that undermines the principle of least privilege. This misconfiguration allows any local user to manipulate system components that should remain protected from unauthorized modification, effectively providing a backdoor for privilege escalation attacks.
The technical implementation of this vulnerability involves the installer's failure to properly restrict directory access permissions, which aligns with CWE-276, indicating improper file permissions. The flaw operates at the file system level where directory access control lists (ACLs) are improperly configured, enabling local users to write malicious executables into protected service directories. When an attacker places a Trojan horse ServiceManager.exe file into the BackgroundService directory, they can potentially execute code with elevated privileges, as the service manager component typically runs with higher privileges than regular user processes. This creates a classic privilege escalation vector where local user-level access can be leveraged to achieve system-level control.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with persistent access to the device's core networking services. The BackgroundService directory specifically serves as a critical component for modem functionality, making it an attractive target for attackers seeking to maintain long-term access or manipulate network communications. This vulnerability affects devices running firmware versions prior to EE40_00_02.00_45, indicating a widespread issue across multiple device deployments. The attack surface is particularly concerning for mobile broadband devices that may be deployed in sensitive environments where physical access can be gained by adversaries, as the vulnerability does not require network connectivity or complex exploitation techniques.
Security professionals should consider this vulnerability in the context of ATT&CK technique T1068, which addresses local privilege escalation, and T1543, covering execution through service creation or modification. The weakness in the installer's permission handling demonstrates a failure in secure software development practices, particularly in the area of access control implementation. Organizations should implement immediate mitigations including firmware updates to the latest EE40_00_02.00_45 version or higher, manual permission correction for the affected directories, and implementation of access control monitoring to detect unauthorized modifications. Additionally, network segmentation and user access controls should be reviewed to minimize the potential impact of successful exploitation, as the vulnerability primarily affects local system compromise rather than remote network access.