CVE-2018-6961

HIGH KEV NUCLEI

VMware NSX SD-WAN by VeloCloud < 3.1.0 - Remote Code Execution via Local Web UI Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-6961 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 3 public exploits from researchers including ParagonSec, r3dxpl0it, bokanrb. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an unauthenticated command injection vulnerability in VMware NSX SD-WAN by VeloCloud. It injects a payload into diagnostic functions (traceroute, ping, or DNS) to execute arbitrary commands, such as exfiltrating /etc/shadow via netcat.

Description

VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.

Exploits (3)

exploitdb WORKING POC VERIFIED
by ParagonSec · pythonwebappshardware
https://www.exploit-db.com/exploits/44959

This exploit leverages an unauthenticated command injection vulnerability in VMware NSX SD-WAN by VeloCloud. It injects a payload into diagnostic functions (traceroute, ping, or DNS) to execute arbitrary commands, such as exfiltrating /etc/shadow via netcat.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: VMware NSX SD-WAN by VeloCloud 3.1.1
No auth needed
Prerequisites: Network access to the target · Netcat listener for payload exfiltration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by r3dxpl0it · remote
https://github.com/r3dxpl0it/CVE-2018-6961

This is a Python3 exploit for CVE-2018-6961, targeting an unauthenticated command injection vulnerability in VMware NSX SD-WAN by VeloCloud. It leverages the local web UI component to execute arbitrary commands via crafted POST requests to the ajaxPortal.lua endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: VMware NSX SD-WAN by VeloCloud prior to version 3.1.0
No auth needed
Prerequisites: Network access to the target's local web UI · Local web UI component enabled on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by bokanrb · remote
https://github.com/bokanrb/CVE-2018-6961

This is a functional exploit for CVE-2018-6961, an unauthenticated command injection vulnerability in VMware NSX SD-WAN by VeloCloud. The exploit sends a crafted POST request to inject a reverse shell payload via the `ajaxPortal.lua` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: VMware NSX SD-WAN by VeloCloud (tested on 3.1.1)
No auth needed
Prerequisites: Python 2.7 · requests library · network access to target · listener setup for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

VMware NSX SD-WAN Edge - Command Injection
CRITICALVERIFIEDby D3nverNg,thewindghost
Shodan: title:"VeloCloud"
FOFA: title="VeloCloud"

References (5)

Core 5
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104185
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44959/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041210

Scores

CVSS v3 8.1
EPSS 0.9388
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2019-06-06
InTheWild.io 2019-06-06
ENISA EUVD EUVD-2018-18705
CWE
CWE-78
Status published
Products (1)
vmware/nsx_sd-wan_by_velocloud < 3.1.0
Published Jun 11, 2018
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026