Cyber Resilience

CVE-2018-6961

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 11 June 2018

Published
11 June 2018
Modified
30 October 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9388 99.9th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-6961 is a high-severity OS Command Injection (CWE-78) vulnerability in Vmware Nsx Sd-Wan By Velocloud. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Deeper analysis

VMware NSX SD-WAN Edge by VeloCloud versions prior to 3.1.0 contain a command injection vulnerability, tracked as CWE-78, in the product's local web UI component. This component is disabled by default and the issue received a CVSS v3.1 score of 8.1 reflecting network attack vector, high complexity, and no required privileges or user interaction.

An unauthenticated attacker able to reach the web UI over the network could exploit the flaw to execute arbitrary commands on the affected appliance, resulting in full remote code execution with impacts to confidentiality, integrity, and availability.

Public references, including the VMware VMSA-2018-0011 advisory, reiterate that the component should not be enabled on untrusted networks and note that the service will be removed in future product releases. An exploit for the issue has been published on Exploit-DB.

EU & UK References

Vulnerability details

VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be…

more

removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
nsx sd-wan by velocloud
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces disabling the vulnerable local web UI component by default and prohibits its activation on untrusted networks, eliminating the attack surface for the command-injection flaw.

prevent

Boundary-protection rules can block all network access to the local web UI, preventing an unauthenticated attacker from reaching the command-injection endpoint.

prevent

Requires prompt application of the vendor patch (or removal of the service in later releases) that eliminates the CWE-78 command-injection vulnerability.

References