CVE-2018-18852

HIGH EXPLOITED IN THE WILD

Cerio Dt-300n Firmware < 1.1.12 - OS Command Injection

Title source: rule

Description

Cerio DT-300N 1.1.6 through 1.1.12 devices allow OS command injection because of improper input validation of the web-interface PING feature's use of Save.cgi to execute a ping command, as exploited in the wild in October 2018.

Exploits (2)

nomisec WORKING POC 46 stars

by hook-s3c · remote

https://github.com/hook-s3c/CVE-2018-18852

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by andripwn · remote

https://github.com/andripwn/CVE-2018-18852

View Code ZIP pw:eip

References (1)

[Third Party Advisory] https://www.fortiguard.com/zeroday/FG-VD-18-149

Scores

CVSS v3 8.8

EPSS 0.7082

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-06-18

InTheWild.io 2019-06-18

CWE

CWE-78

Status published

Products (1)

cerio/dt-300n_firmware 1.1.6 - 1.1.12

Published Jun 18, 2019

Tracked Since Feb 18, 2026