CVE-2018-6328

CRITICAL

Kaseya Unitrends Backup < 10.1 - Unauthenticated Command Injection via /api/hosts Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-6328. PoCs published by Metasploit, Jared Arave, Cale Smith, Benny Husted, Jared Arave, h00die, including Metasploit module exploits/linux/http/ueb_api_rce.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass and command injection vulnerability in Unitrends Backup (UEB) versions before 10.0.0 and UEB < 10.1.0. It leverages SQL injection for authentication bypass and command injection via unvalidated input parameters in the API endpoints.

Description

It was discovered that the Unitrends Backup (UB) before 10.1.0 user interface was exposed to an authentication bypass, which then could allow an unauthenticated user to inject arbitrary commands into its /api/hosts parameters using backquotes.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/45559

This Metasploit module exploits an authentication bypass and command injection vulnerability in Unitrends Backup (UEB) versions before 10.0.0 and UEB < 10.1.0. It leverages SQL injection for authentication bypass and command injection via unvalidated input parameters in the API endpoints.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unitrends Backup (UEB) before 10.0.0 and UEB < 10.1.0
No auth needed
Prerequisites: Network access to the target system · Target system running vulnerable UEB version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Jared Arave · pythonremotelinux
https://www.exploit-db.com/exploits/44297

This exploit leverages an unauthenticated SQL injection (CVE-2018-6328) to achieve remote command execution as a low-privileged user, followed by a local privilege escalation (CVE-2018-6329) to execute arbitrary commands as root. It establishes a reverse shell via a bindshell and uploads a Python-based privilege escalation script.

Classification
Working Poc 95%
Attack Type
Rce | Lpe | Sqli | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Unitrends UEB 10.0.0
No auth needed
Prerequisites: Network access to the target · Target running Unitrends UEB 10.0.0 · Python environment for the exploit
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Cale Smith, Benny Husted, Jared Arave, h00die · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ueb_api_rce.rb

This Metasploit module exploits an authentication bypass and command injection vulnerability in Unitrends Backup (UEB) before 10.0.0. It uses SQL injection to bypass authentication and injects arbitrary commands via the 'hostname' or 'ip' parameters in the API endpoints '/api/storage' (UEB 9) or '/api/hosts' (UEB < 10.1.0).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unitrends Backup (UEB) before 10.0.0
No auth needed
Prerequisites: Network access to the target system · SSL/TLS enabled on port 443
devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45559/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44297/

Scores

CVSS v3 9.8
EPSS 0.7096
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (1)
kaseya/unitrends_backup < 10.1
Published Mar 14, 2018
Tracked Since Feb 18, 2026