CVE-2018-18982
published 2018-11-27CVE-2018-18982: NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing…
PriorityP276high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
60.79%
99.0th percentile
NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nuuo | nuuo_cms | <= 3.3 | — |
| nuuo | nuuo_cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandexec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure;↗
- →Monitor TCP port 5180 for NUUO CMS protocol traffic containing SQL injection patterns, specifically a 'GETOPENALARM' message with a 'SourceServer' field containing a single-quote followed by SQL statements (e.g., '; exec sp_configure ...; --) ↗
- →Detect enabling of xp_cmdshell via SQL Server audit logs or network traffic: look for 'sp_configure' calls enabling 'show advanced options' and 'xp_cmdshell' in sequence, indicative of exploitation preparation. ↗
- →Alert on PowerShell execution with '-ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile' flags spawned from a SQL Server process (e.g., sqlservr.exe), as this is the post-exploitation payload delivery mechanism. ↗
- →Monitor for executable files written to C:\Windows\Temp\ by SQL Server service account (NETWORK_SERVICE), followed by cmd.exe execution of those files via xp_cmdshell. ↗
- →The exploit runs as NETWORK_SERVICE; alert on NETWORK_SERVICE spawning cmd.exe or powershell.exe child processes from SQL Server, especially writing and executing files in Windows temp directories. ↗
- ·SQL Server 2005 Express is installed by default with NUUO CMS, making xp_cmdshell enablement a reliable exploitation path. Defenders should verify whether xp_cmdshell is enabled on any NUUO CMS SQL Server instance. ↗
- ·The exploit can use a guessable or brute-forced session number as an alternative to credentials, meaning authentication bypass via session fixation/guessing is a viable attack path even without valid credentials. ↗
- ·The vulnerability affects NUUO CMS all versions 3.3 and prior; all such deployments should be treated as compromised if exposed to untrusted networks. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fhfc-88fg-r35j: NUUO CMS All versions 3
ghsa_unreviewed·2022-05-13
CVE-2018-18982 [HIGH] CWE-89 GHSA-fhfc-88fg-r35j: NUUO CMS All versions 3
NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.
CISA ICS
NUUO CMS (Update A)
cisa_ics·2018-10-11·CVSS 9.8
[CRITICAL] NUUO CMS (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
NUUO CMS (Update A)
Last RevisedNovember 20, 2018
Alert CodeICSA-18-284-02
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: NUUO
- Equipment: CMS
--------- Begin Update A Part 1 of 3 --------
- Vulnerabilities: Use of Insufficiently Random Values, Use of Obsolete Function, Incorrect Permission Assignment for Critical Resource, Use of Hard-coded Credentials, Path Traversal, Unrestricted Upload of File with Dangerous Type, SQL Injection
--------- End Update A Part 1 of 3 ----------
## 2. UPDATE INFORMATION
This up
No detection rules found.
Exploit-DB
Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit)
exploitdb·2019-02-22
CVE-2018-18982 Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit)
Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Nuuo Central Management Authenticated SQL Server SQLi',
'Description' => %q{
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default cred
Metasploit
Nuuo Central Management Authenticated SQL Server SQLi
metasploit
Nuuo Central Management Authenticated SQL Server SQLi
Nuuo Central Management Authenticated SQL Server SQLi
The Nuuo Central Management Server allows an authenticated user to query the state of the alarms. This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is installed by default, xp_cmdshell can be enabled and abused to achieve code execution. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.
No writeups or analysis indexed.
2018-11-27
Published