CVE-2018-25152

MEDIUM

Ecessa Edge EV150 10.7.4 - Unauthenticated Cross-Site Request Forgery via /cgi-bin/pl_web.cgi/util_configlogin_act

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25152. PoCs published by LiquidWorm.

AI-analyzed exploit summary This is a CSRF exploit that adds a superuser account to Ecessa Edge EV150 devices by submitting a crafted HTML form. It leverages lack of CSRF protection to perform unauthorized administrative actions.

Description

Ecessa Edge EV150 10.7.4 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious web page with a form that submits requests to the /cgi-bin/pl_web.cgi/util_configlogin_act endpoint to add superuser accounts with arbitrary credentials.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappslinux

https://www.exploit-db.com/exploits/44932

View Code ZIP pw:eip

This is a CSRF exploit that adds a superuser account to Ecessa Edge EV150 devices by submitting a crafted HTML form. It leverages lack of CSRF protection to perform unauthorized administrative actions.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Ecessa Edge EV150 (versions 10.7.4, 10.6.9, 10.6.5.2, 10.5.4, 10.2.24, 9.2.24)

Auth required

Prerequisites: Victim must be authenticated and visit the malicious page

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/44932

Various Sources product

https://www.ecessa.com

Scores

CVSS v3 5.3

EPSS 0.0014

EPSS Percentile 3.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

Ecessa Corporation/Ecessa Edge EV150 10.7.4

Published Dec 24, 2025

Tracked Since Feb 18, 2026