CVE-2018-25152 in Edge EV150
Summary
by MITRE • 12/24/2025
Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/25/2025
The CVE-2018-25152 vulnerability represents a critical cross-site request forgery flaw in Ecessa Edge EV150 firmware version 10.7.4, demonstrating a fundamental failure in web application security controls. This vulnerability exists within the device's web management interface and specifically targets the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint which handles administrative user account creation. The flaw enables unauthenticated attackers to exploit the lack of proper anti-CSRF protections, allowing them to inject malicious requests that create superuser accounts with arbitrary credentials, effectively compromising the entire device administration system.
The technical implementation of this vulnerability stems from the absence of anti-cross-site request forgery tokens or other validation mechanisms within the affected endpoint. When a user visits a malicious webpage containing a hidden form submission to the vulnerable endpoint, the device processes the request without proper authentication checks or token validation. This allows attackers to programmatically create administrative accounts with full system privileges, bypassing normal authentication procedures and gaining unauthorized access to the device's configuration and management functions. The vulnerability is particularly dangerous because it operates at the administrative level, providing attackers with complete control over the network device's operations.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it fundamentally compromises the security posture of network infrastructure devices. An attacker who successfully exploits this vulnerability can modify network configurations, monitor traffic, redirect connections, and potentially establish persistent access points within the network. The lack of authentication requirements means that any user who visits the malicious page, including legitimate administrators, could inadvertently trigger the account creation process, making this vulnerability particularly insidious. This flaw represents a direct violation of security principle of least privilege and demonstrates poor implementation of access controls, as outlined in CWE-352 which specifically addresses cross-site request forgery vulnerabilities.
Organizations should implement immediate mitigations including network segmentation to isolate affected devices, deployment of web application firewalls to detect and block malicious requests to the vulnerable endpoint, and mandatory firmware updates to address the identified vulnerability. The solution requires proper implementation of anti-CSRF tokens within the web application framework, ensuring that all administrative actions require valid authentication tokens that are tied to the user's current session. This vulnerability also highlights the importance of secure coding practices and regular security assessments, particularly for network infrastructure devices that are often overlooked in traditional security monitoring. According to ATT&CK framework, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) techniques, as it enables attackers to establish persistent access through forged administrative credentials while potentially leveraging social engineering to deliver malicious payloads to target users.