cbcvebase.
CVE-2018-18982
published 2018-11-27

CVE-2018-18982: NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing…

PriorityP276high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
60.79%
99.0th percentile
NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
nuuonuuo_cms<= 3.3
nuuonuuo_cms

Detection & IOCsextracted from sources · hover to see the quote

port5180
commandexec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure;
commandxp_cmdshell "cmd /c C:\windows\temp\#{@filename}"
pathc:/windows/temp/
commandpowershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}
  • Monitor TCP port 5180 for NUUO CMS protocol traffic containing SQL injection patterns, specifically a 'GETOPENALARM' message with a 'SourceServer' field containing a single-quote followed by SQL statements (e.g., '; exec sp_configure ...; --)
  • Detect enabling of xp_cmdshell via SQL Server audit logs or network traffic: look for 'sp_configure' calls enabling 'show advanced options' and 'xp_cmdshell' in sequence, indicative of exploitation preparation.
  • Alert on PowerShell execution with '-ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile' flags spawned from a SQL Server process (e.g., sqlservr.exe), as this is the post-exploitation payload delivery mechanism.
  • Monitor for executable files written to C:\Windows\Temp\ by SQL Server service account (NETWORK_SERVICE), followed by cmd.exe execution of those files via xp_cmdshell.
  • The exploit runs as NETWORK_SERVICE; alert on NETWORK_SERVICE spawning cmd.exe or powershell.exe child processes from SQL Server, especially writing and executing files in Windows temp directories.
  • ·SQL Server 2005 Express is installed by default with NUUO CMS, making xp_cmdshell enablement a reliable exploitation path. Defenders should verify whether xp_cmdshell is enabled on any NUUO CMS SQL Server instance.
  • ·The exploit can use a guessable or brute-forced session number as an alternative to credentials, meaning authentication bypass via session fixation/guessing is a viable attack path even without valid credentials.
  • ·The vulnerability affects NUUO CMS all versions 3.3 and prior; all such deployments should be treated as compromised if exposed to untrusted networks.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.