CVE-2018-20735

HIGH

BMC Patrol Agent < 11.3.01 - Authentication Bypass

Title source: rule

Description

An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/46556
metasploit WORKING POC EXCELLENT
by b0yd · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/misc/bmc_patrol_cmd_exec.rb

References (2)

Scores

CVSS v3 7.8
EPSS 0.3801
EPSS Percentile 97.2%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (1)
bmc/patrol_agent < 11.3.01
Published Jan 17, 2019
Tracked Since Feb 18, 2026