CVE-2018-25143

HIGH

Microhard Systems IPn4G 1.1.0 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25143. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a backdoor jailbreak in Microhard Systems' cellular gateways. It enables a hidden 'Microhard Sh' service, which creates an SSH user with a default password, leading to a restricted NcFTP shell. A command injection vulnerability in the custom 'ping' command allows escaping to a root shell.

Description

Microhard Systems IPn4G 1.1.0 contains a service vulnerability that allows authenticated users to enable a restricted SSH shell with a default 'msshc' user. Attackers can exploit a custom 'ping' command in the NcFTP environment to escape the restricted shell and execute commands with root privileges.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textlocalhardware

https://www.exploit-db.com/exploits/45041

View Code ZIP pw:eip

This exploit demonstrates a backdoor jailbreak in Microhard Systems' cellular gateways. It enables a hidden 'Microhard Sh' service, which creates an SSH user with a default password, leading to a restricted NcFTP shell. A command injection vulnerability in the custom 'ping' command allows escaping to a root shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Microhard Systems IPn4G, IPn3Gb, VIP4Gb, Bullet-3G, Dragon-LTE, etc. (multiple versions)

Auth required

Prerequisites: Authenticated access to the web admin panel or CSRF vulnerability · Network access to the device

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

https://www.exploit-db.com/exploits/45041

Product product

http://www.microhardcorp.com

Exploit, Third Party Advisory third-party-advisory

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php

Scores

CVSS v3 8.8

EPSS 0.0052

EPSS Percentile 39.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (12)

microhardcorp/bullet-3g_firmware 1.2.0 reva_build1032 (2 CPE variants)

microhardcorp/bullet-lte_firmware 1.2.0 build1078

microhardcorp/bulletplus_firmware 1.3.0 build1036

microhardcorp/dragon-lte_firmware 1.1.0 build1036

microhardcorp/ipn3gb_firmware 2.2.0 build2160

microhardcorp/ipn3gii_firmware 1.2.0 build1076

microhardcorp/ipn4g_firmware 1.1.0 build1098

microhardcorp/ipn4gb_firmware 1.1.6 build1184-14

microhardcorp/ipn4gb_firmware 1.1.0 rev2_build1090-2 (2 CPE variants)

microhardcorp/ipn4gii_firmware 1.2.0 build1078

... and 2 more

Published Dec 24, 2025

Tracked Since Feb 18, 2026