CVE-2018-11510
published 2018-06-28CVE-2018-11510: The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding…
PriorityP188critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
44.76%
98.6th percentile
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asustor | adm | <= 3.1.2.rhg1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP/HTTPS requests to /portal/apis/aggrecate_js.cgi containing shell metacharacters (e.g., %26, %22, %60) in the 'script' query parameter, which indicates OS command injection attempts. ↗
- →Alert on inbound requests to port 8001 targeting /portal/apis/aggrecate_js.cgi with URL-encoded shell injection payloads such as 'launcher%22%26'. ↗
- →Exploitation results in a root shell; monitor for processes spawned by the web server (e.g., /bin/sh -i) with uid=0(root) originating from the webman portal path. ↗
- →Check for unauthenticated access to the NAS admin portal on port 8001 using the default credential nvradmin:nvradmin. ↗
- ·The exploit defaults to targeting port 8001 (HTTPS) for the ADM portal; the vulnerable CGI endpoint is only reachable if the portal is exposed on this port. ↗
- ·The reverse shell listener defaults to port 1234; defenders should monitor for unexpected outbound connections from NAS devices to attacker-controlled hosts on this port. ↗
- ·The vulnerability affects ADM 3.1.0.RFQ3 and all previous builds; the RCE was patched in ADM 3.1.3 released May 31, 2018. ↗
- ·The exploit was developed and tested on Python 2.7 on macOS; the SSL context disables certificate verification, meaning the attack works against self-signed HTTPS configurations. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r3m4-x4g8-pm2w: The ASUSTOR ADM 3
ghsa_unreviewed·2022-05-13
CVE-2018-11510 [CRITICAL] CWE-78 GHSA-r3m4-x4g8-pm2w: The ASUSTOR ADM 3
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
VulnCheck
asustor adm Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-11510 [CRITICAL] asustor adm Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
asustor adm Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an unauthenticated remote code execution vulnerability in the portal/apis/aggrecate_js.cgi file by embedding OS commands in the 'script' parameter.
Affected: asustor adm
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/vulnerabilities--exploits--and-malware-driving-attack-campaigns-; https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; https://www.akamai.com/blog/security/latest-echobot-26-infection-
No detection rules found.
Exploit-DB
ADM 3.1.2RHG1 - Remote Code Execution
exploitdb·2018-08-17·CVSS 9.8
CVE-2018-11510 [CRITICAL] ADM 3.1.2RHG1 - Remote Code Execution
ADM 3.1.2RHG1 - Remote Code Execution
---
# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution
# Author: Matthew Fulton & Kyle Lovett
# Date: 2018-07-01
# Vendor Homepage: https://www.asustor.com/
# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img
# Version: <= ADM 3.1.2RHG1
# Tested on: ASUSTOR AS6202T
# CVE : CVE-2018-11510
# References:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
#!/usr/bin/python
"""
CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette
if exploitation occurs successfully, a root shell is granted
Authors: matthew fulton and Kyle Lovett
Date: 27 May 2018
Background: Both Kyle and I found a number of vulnerab
Exploit-DB
ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
exploitdb·2018-08-15·CVSS 9.8
CVE-2018-11511 [CRITICAL] ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
---
Product - ASUSTOR ADM - 3.1.0.RFQ3 and all previous builds
Vendor - https://www.asustor.com/
Patch Notes - http://download.asustor.com/download/docs/releasenotes/RN_ADM_3.1.3.RHU2.pdf
Issue: The Asustor NAS appliance on ADM 3.1.0 and before suffer from
multiple critical vulnerabilities. The vulnerabilities were submitted
to Asustor in January and February 2018. Several follow-up requests
were made in an attempt to obtain vendor acknowledgement, however no
correspondance was ever received. Nevertheless, the vendor did patch
the RCE issue in the 3.1.3 ADM release on May 31, 2018.
Resolution: Upgrade to newest Asustor firmware, ADM 3.1.3.
CVE-2018-11510
Remote Command Execution (Unauthenticated)
CWE-78 - Improper Neutr
Checkpoint
27th April – Threat Intelligence Bulletin
blogs_checkpoint·2020-04-27·CVSS 10.0
CVE-2019-11510 [CRITICAL] 27th April – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th April – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 27th April 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point has investigated a Business Email Compromise attack targeting a financial organization and their business partner. The attacking group, the Florentine Banker, manipulated four transactions of over 1 million GBP into their own bank accounts using advanced phishing tactics to target the mail accounts of key i
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Unit42
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
blogs_unit42·2019-06-07·CVSS 9.8
[CRITICAL] New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Executive Summary
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets.
As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.
Mirai initially made use of default credentials to gain access to devices. However, since the end of 2017, samples of the family have increasingly been observed making use of publicly available exploits to propagate and run on vulnerable devices.
2018
Unit42
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
blogs_unit42·2019-06-07·CVSS 9.8
CVE-2017-5174 [CRITICAL] New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Threat Research Center
Threat Research
Malware
## New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices
Ruchna Nigam
Published: June 6, 2019
Malware
Threat Research
Vulnerabilities
CVE-2017-5174
CVE-2018-11510
CVE-2018-17173
CVE-2018-6961
CVE-2019-2725
CVE-2019-3929
Exploits
IoT
Linux
Mirai
Executive Summary
Palo Alto Networks Unit 42 has been tracking the evolution of the Mirai malware, known for targeting embedded devices with the primary intent of launching DDoS attacks and self-propagation, since 2016 when it took down several notable targets.
As part of this ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless prese
http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.htmlhttps://github.com/mefulton/CVE-2018-11510https://github.com/mefulton/CVE-2018-11510/blob/master/admex.pyhttps://www.exploit-db.com/exploits/45200/https://www.exploit-db.com/exploits/45212/http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.htmlhttps://github.com/mefulton/CVE-2018-11510https://github.com/mefulton/CVE-2018-11510/blob/master/admex.pyhttps://www.exploit-db.com/exploits/45200/https://www.exploit-db.com/exploits/45212/
2018-06-28
Published
Exploited in the wild