CVE-2018-11511

CRITICAL EXPLOITED IN THE WILD NUCLEI

ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection via Photo Gallery Tree List Album ID or Scope Parameter

Title source: llm

Exploitation Summary

CVE-2018-11511 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including Kyle Lovett. A Nuclei detection template is also available.

AI-analyzed exploit summary The provided text is a detailed writeup describing multiple vulnerabilities in ASUSTOR ADM 3.1.0.RFQ3, including CVE-2018-11511, a blind SQL injection in the photo gallery application. It includes PoC examples using sqlmap for exploitation but does not contain executable exploit code.

Description

The tree list functionality in the photo gallery application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection vulnerability that affects the 'album_id' or 'scope' parameter via a photo-gallery/api/album/tree_lists/ URI.

Exploits (1)

exploitdb WRITEUP

by Kyle Lovett · textwebappscgi

https://www.exploit-db.com/exploits/45200

View Code ZIP pw:eip

The provided text is a detailed writeup describing multiple vulnerabilities in ASUSTOR ADM 3.1.0.RFQ3, including CVE-2018-11511, a blind SQL injection in the photo gallery application. It includes PoC examples using sqlmap for exploitation but does not contain executable exploit code.

Classification

Writeup 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: ASUSTOR ADM 3.1.0.RFQ3 (Photo Gallery Application)

No auth needed

Prerequisites: Network access to the target system · Photo Gallery application installed and accessible

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection

CRITICALVERIFIEDby ritikchaddha

Shodan: http.html:"ASUSTOR"

FOFA: body="ASUSTOR" && icon_hash="1678170702"

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45200/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/148919/ASUSTOR-NAS-ADM-3.1.0-Remote-Command-Execution-SQL-Injection.html

Scores

CVSS v3 9.8

EPSS 0.1118

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-12-14

InTheWild.io 2020-11-10

CWE

CWE-89

Status published

Products (1)

asustor/asustor_data_master 3.1.0

Published Aug 16, 2018

Tracked Since Feb 18, 2026