Back to KEVs

CVE-2018-18852

Cerio DT-300N 1.1.6 through 1.1.12 devices allow OS command injection because of improper input validation of the web-interface PING feature's use...

Basic Information

CVE State
PUBLISHED
Reserved Date
October 30, 2018
Published Date
June 18, 2019
Last Updated
August 05, 2024
Vendor
Cerio
Product
DT-300N
Description
Cerio DT-300N 1.1.6 through 1.1.12 devices allow OS command injection because of improper input validation of the web-interface PING feature's use of Save.cgi to execute a ping command, as exploited in the wild in October 2018.

CVSS Scores

CVSS v3.0

8.8 - HIGH

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

9.0

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploit Status

Exploited in the Wild
Yes (2019-06-18 15:00:32 UTC) Source

References

https://www.fortiguard.com/zeroday/FG-VD-18-149

Known Exploited Vulnerability Information

Source Added Date
CVE 2019-06-18 15:00:32 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

andripwn/CVE-2018-18852

Type: github • Created: 2019-07-18 20:57:59 UTC • Stars: 1

CERIO RCE CVE-2018-18852, authenticated (vendor defaults) web-based RCE as root user.

hook-s3c/CVE-2018-18852

Type: github • Created: 2019-01-26 03:41:24 UTC • Stars: 46

CERIO RCE CVE-2018-18852, authenticated (vendor defaults) web-based RCE as root user.

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel