Cyber Resilience

CVE-2018-14839

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 14 May 2019

Published
14 May 2019
Modified
07 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8930 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-14839 is a critical-severity OS Command Injection (CWE-78) vulnerability in Lg N1A1 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

LG N1A1 NAS firmware version 3718.510 contains a remote command execution vulnerability tracked as CVE-2018-14839 and assigned CWE-78. The flaw permits unauthenticated attackers to supply crafted parameters in an HTTP POST request, resulting in execution of arbitrary operating-system commands on the affected network-attached storage device. The issue carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required credentials or user interaction, with high impact on confidentiality, integrity, and availability.

An attacker with network access to the NAS web interface can send a single unauthenticated HTTP POST containing malicious parameters and obtain arbitrary code execution. Successful exploitation grants the attacker the ability to read or modify any data on the device, install persistent malware, or use the NAS as a foothold for further network compromise.

Public references, including a detailed technical write-up and CISA’s Known Exploited Vulnerabilities catalog, confirm that the vulnerability has been observed in active exploitation campaigns. No official LG patch or mitigation guidance is referenced in the available sources; organizations are therefore advised to isolate or decommission affected LG N1A1 units until replacement hardware or updated firmware is obtained.

EU & UK References

Vulnerability details

LG N1A1 NAS 3718.510 is affected by: Remote Command Execution. The impact is: execute arbitrary code (remote). The attack vector is: HTTP POST with parameters.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lg
n1a1 firmware
3718.510

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unauthenticated HTTP POST that allows arbitrary command execution on the NAS web interface.

prevent

Requires validation of all input parameters, preventing the crafted values that trigger OS command injection (CWE-78).

prevent

Enforces network boundary controls that can isolate or deny external access to the vulnerable LG NAS web interface until the device is replaced.

References