cbcvebase.
CVE-2018-12465
published 2018-06-29

CVE-2018-12465: An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated…

PriorityP271high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
78.95%
99.5th percentile
An OS command injection vulnerability in the web administration component of Micro Focus Secure Messaging Gateway (SMG) allows a remote attacker authenticated as a privileged user to execute arbitrary OS commands on the SMG server. This can be exploited in conjunction with CVE-2018-12464 to achieve unauthenticated remote code execution. Affects Micro Focus Secure Messaging Gateway versions prior to 471. It does not affect previous versions of the product that used GWAVA product name (i.e. GWAVA 6.5).

Affected

2 ranges
VendorProductVersion rangeFixed in
micro_focussecure_messaging_gateway>= unspecified < 471471
microfocussecure_messaging_gateway< 471471

Detection & IOCsextracted from sources · hover to see the quote

path/api/1/enginelist.php
path/admin/contents/ou/manage_domains_save_data.json.php
path/admin/contents/ou/manage_domains_dkim_keygen_request.php
path/security/securitygate.php
command$(php -r '#{payload.encoded}')
commandINSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)
commandPGPASSWORD=postgres psql -U postgres -d SecureGateway -c "..."
  • Monitor HTTP POST requests to /api/1/enginelist.php with the 'appkey' parameter containing stacked SQL query payloads (e.g., semicolons, INSERT/SELECT statements).
  • Alert on POST requests to manage_domains_dkim_keygen_request.php, especially from newly created or low-privilege accounts, as this endpoint triggers OS command execution via the DKIM domain field.
  • Detect DKIM Domain field values containing shell command substitution syntax such as $(...) or backtick expressions submitted to manage_domains_save_data.json.php.
  • Detect POST requests to /security/securitygate.php with the 'passwordmandatory' parameter present, which is a non-standard field used by the exploit's login step.
  • Look for SQL INSERT statements targeting the 'account' and 'UserRole' tables in SMG's PostgreSQL database (SecureGateway), which may indicate exploitation of CVE-2018-12464 to create a rogue admin user.
  • The default Metasploit payload for this exploit is php/meterpreter/reverse_tcp encoded with php/base64; detect outbound reverse TCP connections from the SMG web process after requests to the DKIM endpoints.
  • ·The exploit chain requires both CVE-2018-12464 (SQLi) and CVE-2018-12465 (OS command injection) to achieve unauthenticated RCE; CVE-2018-12465 alone requires an authenticated privileged session.
  • ·Only Micro Focus SMG versions prior to 471 are affected; the older GWAVA-branded product (e.g., GWAVA 6.5) is not affected.
  • ·The OS command injection is triggered via the DKIM Domain field; the malicious domain record must first be implanted via manage_domains_save_data.json.php before triggering via manage_domains_dkim_keygen_request.php.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.