cbcvebase.
CVE-2018-18325
published 2019-07-03

CVE-2018-18325: DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for…

PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
74.05%
99.4th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.2 uses a weak encryption algorithm to protect input parameters. NOTE: this issue exists because of an incomplete fix for CVE-2018-15811.

Affected

1 ranges
VendorProductVersion rangeFixed in
dnnsoftwaredotnetnuke9.2 – 9.2.2

Detection & IOCsextracted from sources · hover to see the quote

cookieDNNPersonalization=WriteFileC:\Windows\win.ini
path/__
cookieDNNPersonalization
cookie.DOTNETNUKE
otherExpandedWrapperOfObjectStateFormatterObjectDataProvider
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
ff 01 32 (ObjectStateFormatter serialized header: [255, 1, 50])
  • Trigger detection by monitoring HTTP requests to the DNN 404 handler path (default '/__') carrying a DNNPersonalization cookie containing XML with 'type' attribute, 'MethodName', 'Deserialize', and 'MethodParameters' fields — all hallmarks of the deserialization payload.
  • Inspect HTTP cookies for the string 'ExpandedWrapperOfObjectStateFormatterObjectDataProvider' within the DNNPersonalization cookie value — this is the fast-pattern anchor used by the ET rule.
  • For DNN versions 9.2.0–9.3.0-RC, exploitation requires an authenticated session (.DOTNETNUKE cookie) AND an encrypted DNNPersonalization cookie; detection should correlate authenticated requests carrying encrypted cookie payloads to the 404 handler path.
  • Validate exploitation by checking HTTP 404 response body for Windows win.ini content strings '[extensions]' and 'for 16-bit app support', indicating successful file-read via deserialization.
  • The ObjectStateFormatter serialized payload begins with the byte sequence [255, 1, 50] (0xFF 0x01 0x32); network or endpoint detection can key on this header within base64-decoded DNNPersonalization cookie values.
  • ·CVE-2018-18325 is an incomplete patch for CVE-2018-15811; the ET Snort rule references CVE-2018-15811 in its message but covers both CVEs — ensure your ruleset is not filtering one out.
  • ·Exploitation of DNN 9.2.0+ (targets requiring ReqEncrypt and ReqSession) requires the attacker to supply a valid KEY, IV, and authenticated session token; unauthenticated detections alone are insufficient for these versions.
  • ·The default TARGETURI '/__' triggers the DNN 404 handler; defenders should also monitor any custom 404 handler paths configured on their DNN instances, not just the default.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.