Cyber Resilience

CVE-2018-11138

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 31 May 2018

Published
31 May 2018
Modified
05 November 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9344 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-11138 is a critical-severity OS Command Injection (CWE-78) vulnerability in Quest Kace System Management Appliance. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability tracked as CVE-2018-11138 affects the Quest KACE System Management Appliance version 8.0.318. Specifically, the script at /common/download_agent_installer.php can be reached without authentication and permits injection of operating system commands, corresponding to CWE-78. The issue received a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated attacker can send crafted requests to the script over the network and execute arbitrary commands on the underlying appliance. Successful exploitation grants the attacker the ability to run code with the privileges of the web server process, potentially leading to complete system compromise.

Public exploit code has been available since 2018, and the vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, confirming observed in-the-wild use. Core Security published a detailed advisory describing multiple related issues in the same product.

EU & UK References

Vulnerability details

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

quest
kace system management appliance
8.0.318

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks unauthenticated access to /common/download_agent_installer.php before any command injection can occur.

prevent

Requires validation of all input to the script, eliminating the OS command injection vector (CWE-78).

prevent

Mandates timely patching or removal of the vulnerable script in the KACE appliance.

References