cbcvebase.
CVE-2018-9021
published 2018-06-18

CVE-2018-9021: An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.38%
97.0th percentile
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially crafted requests.

Affected

2 ranges
VendorProductVersion rangeFixed in
broadcomprivileged_access_manager<= 2.8.2
ca_technologiesca_privileged_access_manager

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<ip>/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|<cmd>+2>%261||&deviceMode=test
path/ajax_cmd.php
path/tmp/output
commandecho select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag
  • Detect unauthenticated GET requests to /ajax_cmd.php with the parameter cmd=AD_IMPORT and a pipe character (|) in the importID parameter, indicating OS command injection via the authentication bypass.
  • Alert on requests to /ajax_cmd.php where the importID query parameter contains shell metacharacters such as | (pipe), > (redirect), or URL-encoded equivalents (%7C, %3E, %261), which are used to inject and redirect command output.
  • Detect creation or access of /tmp/output on the CA PAM host, used by the exploit to stage and retrieve command output.
  • Alert on unauthenticated requests to /ajax_cmd.php — the exploit sends requests with no authentication headers, exploiting the authentication bypass to reach the AD_IMPORT command handler.
  • ·The exploit targets CA Privileged Access Manager version 2.8.2 and earlier; versions beyond 2.8.2 may not be vulnerable, but the /ajax_cmd.php endpoint should be reviewed in all deployments.
  • ·The exploit abuses the mysql root account (mysql -u root uag) to manipulate the configuration_f table, suggesting the CA PAM appliance runs MySQL as root with no password — this is an additional hardening concern independent of the CVE.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.