CVE-2018-1207
published 2018-03-23CVE-2018-1207: Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated…
PriorityP191critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
90.79%
99.8th percentile
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | emc_idrac7 | < 2.52.52.52 | 2.52.52.52 |
| dell | emc_idrac8 | < 2.52.52.52 | 2.52.52.52 |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /cgi-bin/login?LD_DEBUG=files on the target iDRAC7/8 interface. If the response body contains the string 'calling init: /lib/', the target is vulnerable to CVE-2018-1207. ↗
- →The vulnerability is exploitable by an unauthenticated remote attacker via CGI variable injection (LD_DEBUG/LD_PRELOAD-style environment variable manipulation) on the iDRAC web interface. ↗
- →The built-in exploit payload configures USER ID 13 with username 'user' and password 'Passw0rd' as an iDRAC webadmin. Monitor for unexpected iDRAC user creation at slot 13. ↗
- →After exploitation, attackers may use racadm over TCP/443 for command-line access. Monitor for racadm connections to iDRAC on port 443. ↗
- ·The vulnerability affects Dell EMC iDRAC7/iDRAC8 versions PRIOR to 2.52.52.52 only. Devices running 2.52.52.52 or later are patched. ↗
- ·The exploit payload is precompiled for ARM (ELF 32-bit ARM architecture based on the binary header). It will only execute on the iDRAC's embedded ARM processor and is not portable to x86 targets. ↗
- ·Exploitation overwrites iDRAC USER ID 13 unconditionally; any existing user at that slot is unrecoverable. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vm2f-3gpj-98m4: Dell EMC iDRAC7/iDRAC8, versions prior to 2
ghsa_unreviewed·2022-05-13
CVE-2018-1207 [CRITICAL] CWE-94 GHSA-vm2f-3gpj-98m4: Dell EMC iDRAC7/iDRAC8, versions prior to 2
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.
VulnCheck
dell emc_idrac7 Improper Control of Generation of Code ('Code Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-1207 [CRITICAL] dell emc_idrac7 Improper Control of Generation of Code ('Code Injection')
dell emc_idrac7 Improper Control of Generation of Code ('Code Injection')
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.
Affected: dell emc_idrac7
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/; https://app.crowdsec.net/cti/cve-explorer/CVE-2018-1207
Exploit PoC: https://vulncheck.com/xdb/0a0735b361d0; https://vulncheck.com/xdb/ab5fd373cd47; https://vulncheck.com/xdb/b29573f20548
No detection rules found.
Exploit-DB
Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)
exploitdb·2025-04-16·CVSS 9.8
CVE-2018-1207 [CRITICAL] Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)
Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)
---
# Exploit Title: Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)
via file upload
# Date: 2024-08-28
# Exploit Author: Photubias
# Vendor Homepage: https://dell.com
# Vendor Advisory: [1] https://dl.dell.com/manuals/all-products/esuprt_solutions_int/esuprt_solutions_int_solutions_resources/dell-management-solution-resources_White-Papers6_en-us.pdf
# Version: integrated Dell Remote Access Console v7 & v8 .
File name CVE-2018-1207.py
written by Photubias
CVE-2018-1207 is an unauthenticated file upload and
so library execution vulnerability on the HTTPS web interface.
This exploit contains a checker and a builtin exploit to add a webuser for remote admin access
# Manual verification example, if libraries a
Nuclei
Dell iDRAC7/8 Devices - Remote Code Injection
nuclei·CVSS 9.8
CVE-2018-1207 [CRITICAL] Dell iDRAC7/8 Devices - Remote Code Injection
Dell iDRAC7/8 Devices - Remote Code Injection
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a CGI injection vulnerability
which could be used to execute remote code. A remote unauthenticated attacker may
potentially be able to use CGI variables to execute remote code.
Template:
id: CVE-2018-1207
info:
name: Dell iDRAC7/8 Devices - Remote Code Injection
author: dwisiswant0
severity: critical
description: |
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a CGI injection vulnerability
which could be used to execute remote code. A remote unauthenticated attacker may
potentially be able to use CGI variables to execute remote code.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
re
Nuclei
Dell iDRAC Security Checks
nuclei·CVSS 9.8
[CRITICAL] Dell iDRAC Security Checks
Dell iDRAC Security Checks
A workflow to identify Dell iDRAC instances and run all related nuclei templates.
Template:
id: dell-idrac-workflow
info:
name: Dell iDRAC Security Checks
author: kophjager007,megamansec
description: A workflow to identify Dell iDRAC instances and run all related nuclei templates.
workflows:
- template: http/technologies/dell/dell-idrac6-detect.yaml
subtemplates:
- template: http/default-logins/dell/dell-idrac-default-login.yaml
- template: http/technologies/dell/dell-idrac7-detect.yaml
subtemplates:
- template: http/cves/2018/CVE-2018-1207.yaml
- template: http/default-logins/dell/dell-idrac-default-login.yaml
- template: http/technologies/dell/dell-idrac8-detect.yaml
subtemplates:
- template: http/cves/2018/CVE-2018-1207.yaml
- template: http/default-lo
No writeups or analysis indexed.
http://en.community.dell.com/techcenter/extras/m/white_papers/20485410http://www.securityfocus.com/bid/103694https://twitter.com/nicowaisman/status/977279766792466432http://en.community.dell.com/techcenter/extras/m/white_papers/20485410http://www.securityfocus.com/bid/103694https://twitter.com/nicowaisman/status/977279766792466432
2018-03-23
Published
Exploited in the wild