cbcvebase.
CVE-2018-9866
published 2018-08-03

CVE-2018-9866: A vulnerability in lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliance's, allow…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.50%
90.3th percentile
A vulnerability in lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliance's, allow remote user to execute arbitrary code. This vulnerability affected GMS version 8.1 and earlier.

Affected

3 ranges
VendorProductVersion rangeFixed in
sonicwallglobal_management_system<= 8.1
sonicwallglobal_management_system
sonicwallgms

Detection & IOCsextracted from sources · hover to see the quote

commandset_time_
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SonicWall Global Management System - XMLRPC set_time_zone Command Injection (CVE-2018-9866)"; flow:established,to_server; http.request_body; content:"set_time_"; fast_pattern; content:"|22 60|"; distance:0; reference:url,exploit-db.com/exploits/45124/; reference:cve,2018-9866; classtype:attempted-user; sid:2026023; rev:4; metadata:attack_target Server, created_at 2018_08_23, cve CVE_2018_9866, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
|22 60|
  • Exploit targets the XML-RPC interface of SonicWall GMS; inspect HTTP request bodies destined to the GMS appliance for the string 'set_time_' followed by the byte sequence 0x22 0x60 (quote + backtick), which is indicative of shell command injection via the set_time_zone XML-RPC method.
  • Traffic pattern is inbound from external networks to internal servers (to_server, established), targeting the GMS virtual appliance's XML-RPC endpoint; focus monitoring on datacenter-hosted GMS instances.
  • MITRE ATT&CK mapping is Lateral Movement (TA0008) / Exploitation of Remote Services (T1210); correlate with post-exploitation lateral movement activity if the GMS appliance is compromised.
  • ·The vulnerability affects SonicWall GMS version 8.1 and earlier only; ensure detection rules are scoped to environments running these versions to reduce false positives.
  • ·The Snort/ET rule (sid:2026023) is recommended for Datacenter deployment contexts per its metadata; deploying it broadly in non-datacenter environments may require tuning.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.