CVE-2018-25320
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability that allows attackers to execute arbitrary commands by leveraging the EXECUTE function. Attackers can use bitsadmin to download malicious PowerShell scripts and execute them with system privileges to establish reverse shells and gain complete system control.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| acl | ACL Analytics | 11.0 <= 13.0.0.579 | affected |
Weaknesses
- CWE-94: Improper Control of Generation of Code ('Code Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/44281
- https://www.acl.com
- https://www.acl.com/products/acl-analytics/
- https://www.vulncheck.com/advisories/acl-analytics-11-x-arbitrary-code-execution
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.