CVE-2018-20735

HIGH

BMC PATROL Agent < 11.3.01 - Unauthenticated Privilege Escalation via PatrolCli

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-20735. PoCs published by Metasploit, b0yd, including Metasploit module exploits/multi/misc/bmc_patrol_cmd_exec.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-20735, a vulnerability in the D-Link DIR-850L router. It leverages a command injection flaw in the HNAP (Home Network Administration Protocol) service to achieve remote code execution (RCE).

Description

An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/46556

View Code ZIP pw:eip

This Metasploit module exploits CVE-2018-20735, a vulnerability in the D-Link DIR-850L router. It leverages a command injection flaw in the HNAP (Home Network Administration Protocol) service to achieve remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: D-Link DIR-850L router (firmware versions prior to fix)

No auth needed

Prerequisites: Network access to the vulnerable device · HNAP service exposed and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by b0yd · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command execution vulnerability in BMC Patrol, likely leveraging a deserialization or command injection flaw. The code includes PowerShell integration and network communication for payload delivery.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: BMC Patrol (version unspecified)

No auth needed

Prerequisites: Network access to target · BMC Patrol service exposed

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46556/

Scores

CVSS v3 7.8

EPSS 0.3801

EPSS Percentile 97.3%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (1)

bmc/patrol_agent < 11.3.01

Published Jan 17, 2019

Tracked Since Feb 18, 2026