CVE-2018-0437

HIGH

Cisco Umbrella Enterprise Roaming Client < 2.1.118 - Improper Privilege Management

Title source: rule

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-0437. PoCs published by ParagonSec.

AI-analyzed exploit summary This exploit leverages binary planting in Cisco Umbrella Roaming Client 2.0.168 by replacing either netsh.exe or cmd.exe in the ERC directory. Upon system restart, the malicious binary executes with elevated privileges, creating an admin user.

Description

A vulnerability in the Cisco Umbrella Enterprise Roaming Client (ERC) could allow an authenticated, local attacker to elevate privileges to Administrator. To exploit the vulnerability, the attacker must authenticate with valid local user credentials. This vulnerability is due to improper implementation of file system permissions, which could allow non-administrative users to place files within restricted directories. An attacker could exploit this vulnerability by placing an executable file within the restricted directory, which when executed by the ERC client, would run with Administrator privileges.

Exploits (1)

exploitdb WORKING POC

by ParagonSec · clocalwindows_x86-64

https://www.exploit-db.com/exploits/45339

View Code ZIP pw:eip

This exploit leverages binary planting in Cisco Umbrella Roaming Client 2.0.168 by replacing either netsh.exe or cmd.exe in the ERC directory. Upon system restart, the malicious binary executes with elevated privileges, creating an admin user.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: Cisco Umbrella Roaming Client 2.0.168

No auth needed

Prerequisites: Write access to C:\ProgramData\OpenDNS\ERC\ · System restart

MITRE ATT&CK

T1548.002 - Bypass User Account Control T1059.003 - Windows Command Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45339/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105292

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv

Scores

CVSS v3 7.8

EPSS 0.1295

EPSS Percentile 94.3%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269 CWE-264

Status published

Products (3)

cisco/umbrella_enterprise_roaming_client < 2.1.118

cisco/umbrella_roaming_module 4.3\(1095\)

cisco/umbrella_roaming_module < 4.6.1098

Published Oct 05, 2018

Tracked Since Feb 18, 2026