cbcvebase.
CVE-2018-1235
published 2018-05-29

CVE-2018-1235: Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated…

PriorityP179critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
43.29%
98.6th percentile
Dell EMC RecoverPoint versions prior to 5.1.2 and RecoverPoint for VMs versions prior to 5.1.1.3, contain a command injection vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability to execute arbitrary commands on the affected system with root privilege.

Affected

4 ranges
VendorProductVersion rangeFixed in
dell_emcdell_emc_recoverpoint>= unspecified < 5.1.25.1.2
dell_emcdell_emc_recoverpoint_virtual_machine>= unspecified < 5.1.1.35.1.1.3
emcrecoverpoint< 5.1.25.1.2
emcrecoverpoint_for_virtual_machines< 5.1.1.35.1.1.3

Detection & IOCsextracted from sources · hover to see the quote

commandssh '$(useradd -ou0 -g0 bao7uo -p`openssl passwd -1 Secret123`)'@192.168.57.3
processuseradd -ou0 -g0 bao7uo -p`openssl passwd -1 Secret123`
  • Alert on creation of new UID-0 (root-equivalent) accounts via `useradd -ou0` or `useradd -o -u 0` on Dell EMC RecoverPoint appliances, as this is the persistence mechanism used post-exploitation.
  • The injection payload is length-constrained: combined length of injected username + password is limited to 21 characters. Detection rules should flag unusually short but syntactically complex SSH usernames containing `$()` or backtick subshell syntax.
  • Unauthenticated exploitation occurs before any credential validation; look for SSH connection attempts that are immediately followed by new local user creation or privilege escalation events (uid=0) on RecoverPoint appliances.
  • ·Affected versions are Dell EMC RecoverPoint prior to 5.1.2 and RecoverPoint for VMs prior to 5.1.1.3. Exploitation was confirmed on RP4VMs 5.1.1.2 and RP 5.1.SP1.P2; detections should be scoped to these appliance versions.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.