CVE-2018-8880

HIGH

Lutron Quantum BACnet Integration <3.2.243 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8880. PoCs published by SadFud.

AI-analyzed exploit summary This exploit leverages an information disclosure vulnerability in Lutron Quantum devices to leak sensitive device and network information without authentication. It sends a GET request to the '/deviceIP' endpoint and parses the response to extract details such as MAC address, internal IP, and service ports.

Description

Lutron Quantum BACnet Integration 2.0 (firmware 3.2.243) doesn't check for correct user authentication before showing the /deviceIP information, which leads to internal network information disclosure.

Exploits (1)

exploitdb WORKING POC
by SadFud · pythonwebappshardware
https://www.exploit-db.com/exploits/44488

This exploit leverages an information disclosure vulnerability in Lutron Quantum devices to leak sensitive device and network information without authentication. It sends a GET request to the '/deviceIP' endpoint and parses the response to extract details such as MAC address, internal IP, and service ports.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Lutron Quantum 2.0 - 3.2.243 firmware
No auth needed
Prerequisites: Network access to the target device · Target device running vulnerable Lutron Quantum firmware
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
http://sadfud.me/explotos/deviceip.txt
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44488/

Scores

CVSS v3 7.5
EPSS 0.1458
EPSS Percentile 96.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
lutron/quantum_bacnet_integration_firmware 3.2.243
Published Apr 23, 2018
Tracked Since Feb 18, 2026