cbcvebase.
CVE-2018-11510
published 2018-06-28

CVE-2018-11510: The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding…

PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.76%
98.6th percentile
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
asustoradm<= 3.1.2.rhg1

Detection & IOCsextracted from sources · hover to see the quote

path/portal/apis/aggrecate_js.cgi
urlhttps://<host>:8001/portal/apis/aggrecate_js.cgi?script=launcher%22%26ls%20-ltr%26%22
port8001
path/volume0/usr/builtin/webman/portal/apis
  • Monitor HTTP/HTTPS requests to /portal/apis/aggrecate_js.cgi containing shell metacharacters (e.g., %26, %22, %60) in the 'script' query parameter, which indicates OS command injection attempts.
  • Alert on inbound requests to port 8001 targeting /portal/apis/aggrecate_js.cgi with URL-encoded shell injection payloads such as 'launcher%22%26'.
  • Exploitation results in a root shell; monitor for processes spawned by the web server (e.g., /bin/sh -i) with uid=0(root) originating from the webman portal path.
  • Check for unauthenticated access to the NAS admin portal on port 8001 using the default credential nvradmin:nvradmin.
  • ·The exploit defaults to targeting port 8001 (HTTPS) for the ADM portal; the vulnerable CGI endpoint is only reachable if the portal is exposed on this port.
  • ·The reverse shell listener defaults to port 1234; defenders should monitor for unexpected outbound connections from NAS devices to attacker-controlled hosts on this port.
  • ·The vulnerability affects ADM 3.1.0.RFQ3 and all previous builds; the RCE was patched in ADM 3.1.3 released May 31, 2018.
  • ·The exploit was developed and tested on Python 2.7 on macOS; the SSL context disables certificate verification, meaning the attack works against self-signed HTTPS configurations.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.