cbcvebase.
CVE-2018-20221
published 2019-03-21

CVE-2018-20221: Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.46%
95.2th percentile
Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.

Affected

1 ranges
VendorProductVersion rangeFixed in
deltekajera<= 9.10.16

Detection & IOCsextracted from sources · hover to see the quote

path/ajera/Secure/SAService.rem
cookie.ASPXAUTH
commandysoserial.exe -o raw -g TypeConfuseDelegate -f BinaryFormatter -c <cmd>
bytes
\x04 prefix on POST body followed by version and zlib-compressed BinaryFormatter payload
  • Monitor for HTTP POST requests targeting the path /ajera/Secure/SAService.rem with Content-Type: application/octet-stream, which is the exploit delivery endpoint for this deserialization vulnerability.
  • POST body for this exploit begins with the byte 0x04 followed by a version string and a zlib-compressed BinaryFormatter serialized payload. Inspect raw POST body for this structure on requests to SAService.rem.
  • The exploit uses the ysoserial TypeConfuseDelegate gadget chain with BinaryFormatter. Detect spawned child processes from the IIS Application Pool worker process (w3wp.exe) as an indicator of successful exploitation.
  • Exploitation requires an authenticated session; look for the .ASPXAUTH cookie present on POST requests to SAService.rem as a precondition indicator.
  • The executed code will run as the IIS Application Pool identity; monitor for unexpected process execution or network activity originating from w3wp.exe on hosts running Deltek Ajera Timesheets 9.10.16 and prior.
  • ·Exploitation requires a valid authenticated session (.ASPXAUTH cookie), meaning unauthenticated scanning alone is insufficient to trigger RCE; an attacker must first obtain valid credentials.
  • ·The exploit script accepts a configurable port (default 8990) and version string, meaning the payload structure may vary slightly across exploit attempts; detections should not rely solely on a fixed version byte value.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.