cbcvebase.
CVE-2018-18326
published 2019-07-03

CVE-2018-18326: DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
53.62%
98.9th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.

Affected

1 ranges
VendorProductVersion rangeFixed in
dnnsoftwaredotnetnuke9.2 – 9.2.2

Detection & IOCsextracted from sources · hover to see the quote

cookieDNNPersonalization
url/__
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
ff 01 32 (ObjectStateFormatter serialized header)
  • The malicious DNNPersonalization cookie payload contains the XML strings 'ExpandedWrapperOfObjectStateFormatterObjectDataProvider', '<profile', 'MethodName', 'Deserialize', and 'MethodParameters' — all present in the HTTP cookie header.
  • The exploit triggers cookie deserialization by requesting a path that causes a DNN 404 error (default: '/__'), which causes DNN to process the DNNPersonalization cookie and deserialize the attacker-controlled payload.
  • For DNN versions 9.2.0+, the exploit requires an authenticated session cookie (.DOTNETNUKE) and an encrypted DNNPersonalization cookie. Detect authenticated requests carrying both cookies with deserialization payload markers.
  • The serialized ObjectStateFormatter payload begins with the byte sequence [0xFF, 0x01, 0x32] (255, 1, 50). Inspect cookie values for this binary header after base64-decoding.
  • ·CVE-2018-18326 affects DNN 9.2 through 9.2.2 specifically due to an incomplete fix for CVE-2018-15812 (weak encryption key entropy). The Metasploit module targets a broader range (5.0.0 to 9.3.0-RC) covering multiple related CVEs; ensure version-specific targeting when deploying detections.
  • ·The Emergingthreats Snort rule (sid:2034308) is labeled for CVE-2018-15811 but explicitly references CVE-2018-18326 and CVE-2018-18325 as well; it covers the shared deserialization attack vector across all related DNN CVEs.
  • ·For DNN 9.2.0–9.2.1 and 9.2.2–9.3.0-RC targets, the exploit requires both encryption (KEY and IV) and an authenticated session token, meaning unauthenticated network-layer detections alone are insufficient for these versions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.