Cyber Posture

CVE-2018-25143

HighPublic PoC

Published: 24 December 2025

Published
24 December 2025
Modified
26 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 38.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Microhard Systems IPn4G 1.1.0 contains a service vulnerability that allows authenticated users to enable a restricted SSH shell with a default 'msshc' user. Attackers can exploit a custom 'ping' command in the NcFTP environment to escape the restricted shell and…

more

execute commands with root privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the command injection flaw (CWE-78) in Microhard IPn4G 1.1.0 by requiring identification, reporting, and correction of the specific CVE vulnerability.

SI-10 Information Input Validation good match
prevent

Prevents OS command injection in the custom 'ping' command within the NcFTP restricted shell by enforcing validation of all inputs.

AC-2 Account Management good match
prevent

Blocks the attack chain by disabling or restricting the default 'msshc' user account required to enable the vulnerable restricted SSH shell.

Security SummaryAI

CVE-2018-25143 is a service vulnerability in Microhard Systems IPn4G version 1.1.0 that enables authenticated users to activate a restricted SSH shell using the default 'msshc' user account. Within this restricted environment, which leverages the NcFTP setup, attackers can exploit a custom 'ping' command to perform an OS command injection (CWE-78), escaping the shell restrictions and gaining the ability to execute arbitrary commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

The attack requires low-privilege authenticated access over the network, with low complexity and no user interaction needed. An authenticated attacker can first enable the restricted SSH shell, then leverage the flawed 'ping' command in NcFTP to inject and execute operating system commands, ultimately escalating to root privileges. This grants full control over the affected device, including high confidentiality, integrity, and availability impacts.

Advisories and related resources include the vendor site at http://www.microhardcorp.com, a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/45041, and a detailed vulnerability report from Zero Science Labs at https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php. These references document the issue and exploitation method but do not specify patch availability in the provided details.

Details

CWE(s)
CWE-78

Affected Products

microhardcorp
ipn4g firmware
1.1.0
microhardcorp
ipn3gb firmware
2.2.0
microhardcorp
ipn4gb firmware
1.1.0, 1.1.6
microhardcorp
bullet-3g firmware
1.2.0
microhardcorp
vip4gb firmware
1.1.6
microhardcorp
vip4gb wifi-n firmware
1.1.6
microhardcorp
bullet-lte firmware
1.2.0
microhardcorp
ipn3gii firmware
1.2.0
microhardcorp
ipn4gii firmware
1.2.0
microhardcorp
bulletplus firmware
1.3.0
+1 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of SSH service (T1210) via authenticated access, command injection in Unix shell (T1059.004) for arbitrary OS command execution, and privilege escalation to root (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References