cbcvebase.
CVE-2018-12464
published 2018-06-29

CVE-2018-12464: A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote…

PriorityP186critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
80.54%
99.6th percentile
A SQL injection vulnerability in the web administration and quarantine components of Micro Focus Secure Messaging Gateway allows an unauthenticated remote attacker to execute arbitrary SQL statements against the database. This can be exploited to create an administrative account and used in conjunction with CVE-2018-12465 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that use the GWAVA product name (i.e. GWAVA 6.5).

Affected

2 ranges
VendorProductVersion rangeFixed in
micro_focussecure_messaging_gateway>= unspecified < 471471
microfocussecure_messaging_gateway< 471471

Detection & IOCsextracted from sources · hover to see the quote

path/api/1/enginelist.php
path/admin/contents/ou/manage_domains_save_data.json.php
path/admin/contents/ou/manage_domains_dkim_keygen_request.php
path/security/securitygate.php
command$(php -r '#{payload.encoded}')
commandINSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)
otherappkey
otherDkimRecordId
  • Monitor POST requests to /api/1/enginelist.php with the 'appkey' parameter containing stacked SQL query payloads (e.g., SELECT <random_numeric>, INSERT INTO account, INSERT INTO UserRole) — this is the SQLi entry point for CVE-2018-12464.
  • Alert on POST requests to /admin/contents/ou/manage_domains_save_data.json.php where the SaveData body contains a Domain field with shell command substitution syntax such as $(...) or backtick expressions — this is the payload implantation step.
  • Alert on POST requests to /admin/contents/ou/manage_domains_dkim_keygen_request.php with a DkimRecordId parameter — this endpoint triggers OS command execution and is the final exploitation step.
  • Detect authentication attempts to /security/securitygate.php immediately following anomalous account creation via SQL injection into the 'account' and 'UserRole' tables — this sequence indicates chained SQLi-to-RCE exploitation.
  • Look for new rows inserted into the PostgreSQL 'account' table with privilege level 1 and role entries in 'UserRole' not associated with normal provisioning workflows — artifact of the SQLi user-creation step.
  • The exploit uses a php/meterpreter/reverse_tcp payload encoded with php/base64 by default; look for base64-encoded PHP payloads in the Domain field of DKIM-related API calls.
  • ·The vulnerability only affects Micro Focus SMG versions prior to 471; earlier GWAVA-branded versions (e.g., GWAVA 6.5) are not affected.
  • ·CVE-2018-12464 (SQLi) must be chained with CVE-2018-12465 (OS command injection) to achieve unauthenticated RCE; neither vulnerability alone provides full unauthenticated code execution.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.