CVE-2018-19392
CRITICALCobham Satcom Sailor 250/500 <1.25 - Unauthenticated RCE
Title source: llmDescription
Cobham Satcom Sailor 250 and 500 devices before 1.25 contained an unauthenticated password reset vulnerability. This could allow modification of any user account's password (including the default "admin" account), without prior knowledge of their password. All that is required is knowledge of the username and attack vector (/index.lua?pageID=Administration usernameAdmChange, passwordAdmChange1, and passwordAdmChange2 fields).
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://cyberskr.com/blog/cobham-satcom-250-500.html
Third Party Advisory x_refsource_misc
https://gist.github.com/CyberSKR/2dfd5dccb20a209ec4d35b2678bac0d4
Scores
CVSS v3
9.8
EPSS
0.0141
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (2)
cobham/satcom_sailor_250_firmware
< 1.25
cobham/satcom_sailor_500_firmware
< 1.25
Published
Mar 15, 2019
Tracked Since
Feb 18, 2026