cbcvebase.
CVE-2018-9022
published 2018-06-18

CVE-2018-9022: An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary code or commands by…

PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
20.39%
97.2th percentile
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary code or commands by poisoning a configuration file.

Affected

2 ranges
VendorProductVersion rangeFixed in
broadcomprivileged_access_manager<= 2.8.2
ca_technologiesca_privileged_access_manager

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<ip>/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|<cmd>+2>%261||&deviceMode=test
path/ajax_cmd.php
path/tmp/output
commandecho select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag
  • Monitor HTTP/S requests to /ajax_cmd.php with the parameter cmd=AD_IMPORT and an importID value containing shell metacharacters (pipe '|', redirection '>', '&') — this is the injection point for CVE-2018-9022 RCE.
  • Detect base64-encoded payloads piped to 'base64 -d | mysql -u root uag' on the CA PAM host — this pattern is used to smuggle SQL injection payloads past simple string filters.
  • Flag creation or access of /tmp/output on the CA PAM appliance — the exploit writes command output there and retrieves it via a subsequent ajax_cmd.php request.
  • ·The exploit targets CA Privileged Access Manager version 2.8.2 and earlier only; the vulnerability is an authentication bypass combined with configuration file poisoning, meaning no credentials are required to reach the injection endpoint.
  • ·The exploit chains CVE-2018-9021 (authentication bypass on ajax_cmd.php) with CVE-2018-9022 (configuration poisoning for RCE) — both CVEs must be considered together for full impact assessment.
  • ·The mysql process runs as root ('mysql -u root uag'), meaning any command injected via the poisoned configuration executes with root privileges on the appliance.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.