CVE-2018-11138
Published: 31 May 2018
Summary
CVE-2018-11138 is a critical-severity OS Command Injection (CWE-78) vulnerability in Quest Kace System Management Appliance. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability tracked as CVE-2018-11138 affects the Quest KACE System Management Appliance version 8.0.318. Specifically, the script at /common/download_agent_installer.php can be reached without authentication and permits injection of operating system commands, corresponding to CWE-78. The issue received a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated attacker can send crafted requests to the script over the network and execute arbitrary commands on the underlying appliance. Successful exploitation grants the attacker the ability to run code with the privileges of the web server process, potentially leading to complete system compromise.
Public exploit code has been available since 2018, and the vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, confirming observed in-the-wild use. Core Security published a detailed advisory describing multiple related issues in the same product.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-3180
Vulnerability details
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks unauthenticated access to /common/download_agent_installer.php before any command injection can occur.
Requires validation of all input to the script, eliminating the OS command injection vector (CWE-78).
Mandates timely patching or removal of the vulnerable script in the KACE appliance.