CVE-2018-20221

HIGH

Deltek Ajera Timesheets <9.10.16 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-20221. PoCs published by Anthony Cole.

AI-analyzed exploit summary This exploit leverages a .NET deserialization vulnerability in Ajera Timesheets <= 9.10.16 to achieve remote code execution. It uses ysoserial.exe to generate a malicious payload, which is then sent to the vulnerable endpoint with authentication.

Description

Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.

Exploits (1)

exploitdb WORKING POC
by Anthony Cole · textwebappswindows
https://www.exploit-db.com/exploits/46086

This exploit leverages a .NET deserialization vulnerability in Ajera Timesheets <= 9.10.16 to achieve remote code execution. It uses ysoserial.exe to generate a malicious payload, which is then sent to the vulnerable endpoint with authentication.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Deltek Ajera Timesheets <= 9.10.16
Auth required
Prerequisites: Valid ASPXAUTH cookie · Access to ysoserial.exe · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/151035/Ajera-Timesheets-9.10.16-Deserialization.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/46086/

Scores

CVSS v3 8.8
EPSS 0.1046
EPSS Percentile 95.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (1)
deltek/ajera < 9.10.16
Published Mar 21, 2019
Tracked Since Feb 18, 2026