CVE-2018-18982

HIGH

NUUO CMS < 3.3 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-18982. PoCs published by Metasploit, Pedro Ribeiro <[email protected]>, including Metasploit module exploits/windows/nuuo/nuuo_cms_sqli.

AI-analyzed exploit summary This Metasploit module exploits an authenticated SQL injection vulnerability in Nuuo Central Management Server to enable xp_cmdshell and execute arbitrary commands, achieving remote code execution.

Description

NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/46449

This Metasploit module exploits an authenticated SQL injection vulnerability in Nuuo Central Management Server to enable xp_cmdshell and execute arbitrary commands, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nuuo Central Management Server <= v2.10.0
Auth required
Prerequisites: Authenticated session or valid credentials · SQL Server 2005 Express with xp_cmdshell accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Pedro Ribeiro <[email protected]> · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb

This Metasploit module exploits an authenticated SQL injection vulnerability in Nuuo Central Management Server to enable xp_cmdshell and execute arbitrary commands, leading to remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Nuuo Central Management Server <= v2.10.0
Auth required
Prerequisites: Authenticated session or valid credentials · SQL Server with xp_cmdshell accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46449/
Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02

Scores

CVSS v3 8.8
EPSS 0.6593
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
nuuo/nuuo_cms < 3.3
Published Nov 27, 2018
Tracked Since Feb 18, 2026