cbcvebase.
CVE-2018-9843
published 2018-04-12

CVE-2018-9843: The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.34%
96.7th percentile
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.

Affected

2 ranges
VendorProductVersion rangeFixed in
cyberarkpassword_vault< 9.9.59.9.5
cyberarkpassword_vault>= 10.0 < 10.110.1

Detection & IOCsextracted from sources · hover to see the quote

path/PasswordVault/WebServices
  • Detect exploitation by inspecting the HTTP Authorization header for a base64-encoded .NET serialized object. The payload begins with the magic bytes 'AAEAAAD/////' which is characteristic of BinaryFormatter-serialized .NET objects.
  • Monitor HTTP requests to the path /PasswordVault/WebServices for anomalous or oversized Authorization header values that do not conform to standard token/session formats (e.g., contain base64 blobs starting with 'AAEAAAD/////').
  • Alert on unexpected outbound ICMP or network connections originating from the CyberArk Password Vault Web Access server process, which may indicate successful RCE via deserialization.
  • ·No credentials are required to exploit this vulnerability; the malicious serialized object is passed in the Authorization header without authentication, meaning perimeter controls requiring valid credentials will not prevent exploitation.
  • ·Affected versions are CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1; the fix is available in versions 9.9.5, 9.10, or 10.2.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.