CVE-2018-11138

CVE-2018-11138 is a critical-severity vulnerability in Quest Kace System Management Appliance with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-78.

Key facts

Description

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

CVE-2018-11138: Unauthenticated OS Command Injection in Quest KACE SMA 8.0.318

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2018-11138
Severity Critical (CVSS v3 9.8 / v2 10.0)
CWE CWE-78: OS Command Injection
EPSS 0.91931 (99.8th percentile)
Known Exploited Yes (CISA KEV, added 2022-03-25)
Ransomware Campaign Known to be used in ransomware attacks
Affected Product Quest KACE System Management Appliance 8.0.318

Summary

CVE-2018-11138 is a critical unauthenticated OS command injection vulnerability in the Quest KACE System Management Appliance (SMA). The /common/download_agent_installer.php script is exposed to anonymous users and can be abused to inject and execute arbitrary commands on the underlying operating system, granting an attacker full control over the appliance.

Background

Quest KACE SMA (formerly Dell KACE) is an endpoint management and systems administration platform deployed in enterprise environments to manage desktops, servers, and mobile devices. The appliance exposes a web interface for agent distribution and remote management. A PHP endpoint intended to streamline agent installer downloads was found to pass user-supplied input directly into a shell execution context without adequate sanitisation, exposing the entire appliance to remote compromise.

Root Cause

The vulnerability is classified as CWE-78: Improper Neutralisation of Special Elements used in an OS Command (OS Command Injection).

The root cause lies in the /common/download_agent_installer.php script, which constructs a server-side shell command using attacker-controllable input. The application fails to validate, sanitise, or properly escape special characters (such as shell metacharacters, backticks, pipes, and command separators) before passing the data to the underlying operating system. Consequently, an unauthenticated remote attacker can inject arbitrary operating system commands into the execution flow, causing them to run with the privileges of the web server or appliance service account.

Impact

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical).

  • Attack Vector (AV): Network – The vulnerability is exploitable remotely over the network without any prerequisites.
  • Attack Complexity (AC): Low – No special conditions or advanced techniques are required; the endpoint is reachable directly.
  • Privileges Required (PR): None – Anonymous, unauthenticated users can exploit this flaw.
  • User Interaction (UI): None – Fully automated exploitation is possible without tricking a legitimate user.
  • Scope (S): Unchanged – The vulnerable component is the appliance itself.
  • Confidentiality (C): High – Attackers can read sensitive files, extract credentials, or access managed endpoints.
  • Integrity (I): High – Attackers can modify system files, implants, or configuration data.
  • Availability (A): High – Attackers can disrupt service, delete data, or render the appliance inoperable.

Given the appliance’s privileged position in the network (it often holds administrative credentials for thousands of endpoints), a successful compromise can rapidly cascade into a domain-wide or infrastructure-wide incident.

Exploitation Walkthrough

Ethics & Legal Notice: The following description is provided for defensive and educational purposes only. Testing or exploiting this vulnerability without explicit authorisation is illegal and unethical. Organisations should validate their own environments using controlled penetration tests governed by a formal rules of engagement.

The vulnerable endpoint (/common/download_agent_installer.php) accepts user input that is later incorporated into a shell command on the server. From a defensive standpoint, the exploitation pattern typically follows these stages:

  1. Reconnaissance – The attacker identifies a publicly accessible or internally reachable Quest KACE SMA instance (commonly on TCP/443).
  2. Endpoint Discovery – The attacker locates the /common/download_agent_installer.php path, which is exposed without authentication.
  3. Injection Probe – The attacker submits crafted input containing shell metacharacters (for example, semicolons, pipes, backticks, or $(...)) through the parameters accepted by the script.
  4. Command Execution – Because the application passes the input directly to a shell interpreter, the injected commands execute on the appliance with the privileges of the web server process.
  5. Post-Exploitation – With OS-level access, the attacker may:
    • Exfiltrate appliance configuration files and database contents.
    • Harvest stored credentials used to manage endpoints.
    • Pivot to the broader network using the appliance’s trust relationships.
    • Deploy web shells or persistent backdoors for continued access.

No working exploit code is provided here; the objective is to enable defenders to understand the attack surface and implement appropriate controls.

Affected and Patched Versions

Affected:

  • Quest KACE System Management Appliance 8.0.318 (confirmed)

Patched:

  • Specific patched version information is not available in the source data. Administrators should consult Quest (now ClearCube) support channels or the vendor security advisory for the latest patched release.

Remediation

  1. Upgrade: Apply the latest vendor-supplied firmware or patch as soon as it is available. Verify the fix by checking the vendor security bulletin for CVE-2018-11138.
  2. Restrict Network Access: Place the KACE SMA management interface behind a firewall or VPN. Limit access to trusted administrative subnets only; do not expose the appliance directly to the public internet.
  3. Web Application Firewall (WAF): Deploy a WAF rule set that blocks requests to /common/download_agent_installer.php containing shell metacharacters, command separators, or anomalous parameter structures.
  4. Input Validation: If custom development or hot-fixes are applied, ensure all user-supplied input is strictly validated against an allow-list and that shell execution functions are avoided entirely where possible.
  5. Compensating Controls:
    • Disable or restrict the vulnerable endpoint if it is not required for operations.
    • Enable comprehensive logging on the appliance and forward logs to a central SIEM for anomaly detection.
    • Implement network segmentation to prevent lateral movement in the event of appliance compromise.

Detection

  • Network Monitoring: Alert on inbound HTTP requests to /common/download_agent_installer.php from unexpected source IP ranges or containing suspicious patterns (shell operators, encoded characters, unusually long parameters).
  • Endpoint/Host Monitoring: Monitor the KACE appliance for unexpected child processes spawned by the web server (for example, bash, sh, cmd.exe, powershell.exe, or unexpected curl/wget activity).
  • File Integrity Monitoring (FIM): Watch for unauthorised modifications to webroot files, new files in public directories, or changes to cron jobs and scheduled tasks.
  • SIEM Correlation: Correlate appliance logs with authentication events; unauthenticated requests that result in anomalous process execution or file access should trigger high-priority alerts.

Assessment

CVE-2018-11138 carries an EPSS score of 0.91931, placing it in the 99.8th percentile of actively exploited vulnerabilities. It is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog (added 2022-03-25) and has been associated with ransomware campaigns. These indicators strongly suggest that threat actors are actively scanning for and weaponising this flaw in the wild.

Key lessons:

  1. Never expose management appliances to the internet. Appliances like KACE SMA hold the keys to the kingdom; their compromise is often a precursor to widespread ransomware deployment.
  2. Treat critical, unauthenticated RCE as a hair-on-fire event. A CVSS 9.8 + KEV + high EPSS combination leaves little room for delay—patching or isolation must be immediate.

References

Frequently asked questions

What is CVE-2018-11138?
The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.
How severe is CVE-2018-11138?
CVE-2018-11138 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2018-11138 being actively exploited?
Yes. CVE-2018-11138 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2018-11138?
CVE-2018-11138 affects Quest Kace System Management Appliance. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2018-11138?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2018-11138 have an EU (EUVD) identifier?
Yes. CVE-2018-11138 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-3180. It is also flagged as exploited in the EUVD (since 2022-03-25).
When was CVE-2018-11138 published?
CVE-2018-11138 was published on 2018-05-31 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Quest Kace System Management Appliance

All CVEs affecting Quest Kace System Management Appliance →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →