CVE-2018-11741 – NEC Univerge Sv9100 WebPro 6.00.00 devices have... (How to Fix)

Q: What is the severity of CVE-2018-11741?

CVE-2018-11741 has a CVSS score of 9.8 (CRITICAL). NEC Univerge Sv9100 WebPro 6.00.00 devices have predictable session IDs that allow attackers to hijack user sessions and access account information including cleartext passwords. This affects organizations using these specific NEC PBX devices with the vulnerable WebPro interface.

📋 TL;DR

NEC Univerge Sv9100 WebPro 6.00.00 devices have predictable session IDs that allow attackers to hijack user sessions and access account information including cleartext passwords. This affects organizations using these specific NEC PBX devices with the vulnerable WebPro interface.

💻 Affected Systems

Products:

NEC Univerge Sv9100 WebPro

Versions: 6.00.00

Operating Systems: Embedded system on NEC PBX hardware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the WebPro web interface component of the Sv9100 PBX system.

📦 What is this software?

Univerge Sv9100 Webpro Firmware by Nec

View all CVEs affecting Univerge Sv9100 Webpro Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the PBX system, unauthorized access to all user accounts, exposure of cleartext credentials, and potential lateral movement into connected networks.

🟠

Likely Case

Unauthorized access to user sessions, account information disclosure, credential theft, and potential privilege escalation on the PBX system.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring are in place to detect session hijacking attempts.

🌐 Internet-Facing: HIGH - If the WebPro interface is exposed to the internet, attackers can easily exploit this vulnerability remotely.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to gain unauthorized access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires no authentication and uses predictable session IDs in URLs. Multiple public exploit scripts are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions after 6.00.00

Vendor Advisory: https://www.nec.com/en/global/security/

Restart Required: Yes

Instructions:

1. Contact NEC support for updated firmware. 2. Backup current configuration. 3. Apply firmware update. 4. Restart the PBX system. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Isolation

all

Restrict access to the WebPro interface to trusted networks only

Configure firewall rules to block external access to WebPro ports (typically 80/443)

Session Management Controls

all

Implement additional session validation and monitoring

Configure web server to log all session ID access attempts
Implement IP-based session validation if supported

🧯 If You Can't Patch

Isolate the PBX system on a separate VLAN with strict access controls
Implement network monitoring for unusual session ID patterns and access attempts

🔍 How to Verify

Check if Vulnerable:

Access the WebPro interface and check if session IDs in URLs follow predictable patterns or if version is 6.00.00

Check Version:

Check WebPro interface login page or system information page for version number

Verify Fix Applied:

After patching, verify that session IDs are no longer predictable and that the version has been updated

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts with sequential session IDs
Access to Home.htm?sessionId= with unusual patterns
Successful logins from unexpected IP addresses

Network Indicators:

HTTP requests with predictable session ID patterns
Unusual traffic to WebPro interface from external sources

SIEM Query:

source="webpro_logs" AND (uri="*Home.htm?sessionId=*" AND NOT user_agent="*normal_browser*" OR uri="*sessionId=*" AND status=200 AND user="*")

📊 Metadata

CVE ID: CVE-2018-11741

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: December 26, 2018

Last Updated: November 21, 2024

🔗 References

http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt Exploit,Third Party Advisory
http://packetstormsecurity.com/files/150610/NEC-Univerge-Sv9100-WebPro-6.00.00-Predictable-Session-ID-Cleartext-Passwords.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2018/Dec/1 Exploit,Mailing List,Third Party Advisory
https://www.exploit-db.com/exploits/45942/ Exploit,Third Party Advisory,VDB Entry
http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt Exploit,Third Party Advisory
http://packetstormsecurity.com/files/150610/NEC-Univerge-Sv9100-WebPro-6.00.00-Predictable-Session-ID-Cleartext-Passwords.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2018/Dec/1 Exploit,Mailing List,Third Party Advisory
https://www.exploit-db.com/exploits/45942/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-11741, you might also want to check these: