← Back
2025-12-24 19:27CVE-2018-25149VulnCheck
PUBLISHED5.2CWE-352

Microhard Systems IPn4G 1.1.0 Cross-Site Request Forgery via Web Interface

Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page.

Problem type

Affected products

Microhard Systems

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities

IPn4G 1.1.0 build 1098 - AFFECTED

References

ExploitDB-45034

https://www.exploit-db.com/exploits/45034

exploit
Microhard Systems Product Web Page

http://www.microhardcorp.com

product
Zero Science Lab Disclosure (ZSL-2018-5478)

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php

third-party-advisory

GitHub Security Advisories

GHSA-64rh-68mc-5mmx

Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows...

https://github.com/advisories/GHSA-64rh-68mc-5mmx

Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2018-25149

exploit-db.com

https://www.exploit-db.com/exploits/45034

zeroscience.mk

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php

microhardcorp.com

http://www.microhardcorp.com

github.com

https://github.com/advisories/GHSA-64rh-68mc-5mmx

JSON source

https://cveawg.mitre.org/api/cve/CVE-2018-25149
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2018-25149",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2025-12-24T20:25:07.980Z",
    "dateReserved": "2025-12-24T14:28:02.436Z",
    "datePublished": "2025-12-24T19:27:51.383Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2025-12-24T19:27:51.383Z"
      },
      "datePublic": "2018-03-13T00:00:00.000Z",
      "title": "Microhard Systems IPn4G 1.1.0 Cross-Site Request Forgery via Web Interface",
      "descriptions": [
        {
          "lang": "en",
          "value": "Microhard Systems IPn4G 1.1.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to change admin passwords, add new users, and modify system settings by tricking authenticated users into loading a specially crafted page."
        }
      ],
      "affected": [
        {
          "vendor": "Microhard Systems",
          "product": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities",
          "versions": [
            {
              "version": "IPn4G 1.1.0 build 1098",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Cross-Site Request Forgery (CSRF)",
              "cweId": "CWE-352",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/45034",
          "name": "ExploitDB-45034",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "http://www.microhardcorp.com",
          "name": "Microhard Systems Product Web Page",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php",
          "name": "Zero Science Lab Disclosure (ZSL-2018-5478)",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "LiquidWorm as Gjoko Krstic of Zero Science Lab",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2025-12-24T20:25:07.980Z"
        },
        "title": "CISA ADP Vulnrichment",
        "references": [
          {
            "url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php",
            "tags": [
              "exploit"
            ]
          }
        ],
        "metrics": [
          {}
        ]
      }
    ]
  }
}