CVE-2018-11138

CRITICAL KEV RANSOMWARE NUCLEI

Quest KACE System Management Appliance 8.0.318 - Unauthenticated OS Command Injection via download_agent_installer.php

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-11138 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including Metasploit, Leandro Barragan, Guido Leo, bcoles, including a Metasploit module exploits/unix/http/quest_kace_systems_management_rce. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Quest KACE Systems Management Appliance by manipulating the 'orgid' parameter in the 'download_agent_installer.php' file. It allows unauthenticated RCE as the web server user 'www' by injecting a payload into the parameter.

Description

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance 8.0.318 is accessible by anonymous users and can be abused to execute arbitrary commands on the system.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/44950

This Metasploit module exploits a command injection vulnerability in Quest KACE Systems Management Appliance by manipulating the 'orgid' parameter in the 'download_agent_installer.php' file. It allows unauthenticated RCE as the web server user 'www' by injecting a payload into the parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Quest KACE Systems Management Appliance version 8.0.318 (and possibly prior)
No auth needed
Prerequisites: Valid Organization ID (default: 1) · Valid Windows agent version number
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Leandro Barragan, Guido Leo, bcoles · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/quest_kace_systems_management_rce.rb

This Metasploit module exploits a command injection vulnerability in Quest KACE Systems Management Appliance by injecting arbitrary commands via the `orgid` parameter in `download_agent_installer.php`. It targets versions prior to 8.0.320 and requires an Organization ID and Windows agent version.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Quest KACE Systems Management Appliance < 8.0.320
No auth needed
Prerequisites: Organization ID · Windows agent version · Serial number (optional)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Quest KACE System Management Appliance 8.0.318 - Remote Code Execution
CRITICALVERIFIEDby ritikchaddha
FOFA: icon_hash="-463230636"

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44950/
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities

Scores

CVSS v3 9.8
EPSS 0.9344
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2019-06-13
InTheWild.io 2022-03-25
ENISA EUVD EUVD-2018-3180
Ransomware Use Confirmed
CWE
CWE-78
Status published
Products (1)
quest/kace_system_management_appliance 8.0.318
Published May 31, 2018
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026