id: CVE-2018-11138 info: name: Quest KACE System Management Appliance 8.0.318 - Remote Code Execution author: ritikchaddha severity: critical description: | The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system. impact: | An attacker can execute arbitrary commands on the affected system, potentially leading to complete system compromise, data theft, or further network exploitation. remediation: | Upgrade to a patched version of Quest KACE System Management Appliance or apply the necessary security patches provided by Quest Software. reference: - https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities - https://www.exploit-db.com/exploits/44950/ - https://nvd.nist.gov/vuln/detail/CVE-2018-11138 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11138 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-11138 cwe-id: CWE-78 epss-score: 0.93443 epss-percentile: 0.99826 cpe: cpe:2.3:a:quest:kace_system_management_appliance:8.0.318:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: quest product: kace_system_management_appliance fofa-query: icon_hash="-463230636" tags: cve,cve2018,quest,kace,rce,kev,passive,vkev,vuln http: - method: GET path: - "{{BaseURL}}" host-redirects: true matchers: - type: dsl dsl: - 'contains_any(tolower(body), "kace", "quest")' - 'compare_versions(detected_version, "8.0.318")' condition: and extractors: - type: regex part: body name: detected_version group: 1 regex: - '\?build=([0-9.]+)' # digest: 4a0a00473045022100c647d0e0712425dfa689f474ab9ef49f52ec3e5ee89007a14bdd567427f202f402205f615628d274f4de3ae01a540a5452feca98a49641adedbf28839f085c114a17:922c64590222798bb761d5b6d8e72950