CVE-2018-11509

CRITICAL

ASUSTOR ADM 3.1.0.RFQ3 - Use of Hard-coded Credentials

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-11509. PoCs published by Kyle Lovett.

AI-analyzed exploit summary The provided text is a detailed writeup describing multiple vulnerabilities in ASUSTOR ADM 3.1.0.RFQ3, including CVE-2018-11511, a blind SQL injection in the photo gallery application. It includes PoC examples using sqlmap for exploitation but does not contain executable exploit code.

Description

ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.

Exploits (1)

exploitdb WRITEUP
by Kyle Lovett · textwebappscgi
https://www.exploit-db.com/exploits/45200

The provided text is a detailed writeup describing multiple vulnerabilities in ASUSTOR ADM 3.1.0.RFQ3, including CVE-2018-11511, a blind SQL injection in the photo gallery application. It includes PoC examples using sqlmap for exploitation but does not contain executable exploit code.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: ASUSTOR ADM 3.1.0.RFQ3 (Photo Gallery Application)
No auth needed
Prerequisites: Network access to the target system · Photo Gallery application installed and accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45200/

Scores

CVSS v3 9.8
EPSS 0.1257
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-798
Status published
Products (1)
asustor/asustor_data_master 3.1.0
Published Aug 16, 2018
Tracked Since Feb 18, 2026