CVE-2018-20735
CVE-2018-20735
Vexday Risk Score
38Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Automatable exploit available (Nuclei/Metasploit).
CVSS —EPSS 7.5%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Lifecycle
17 Jan 2019Metasploit module available
17 Jan 2019Published on NVD
18 Mar 2019Public PoC
Weaponization speed
59 daysto first PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only verifies if the password provided for the given username is correct; it does not verify the permissions of the user on the network. This means if you have PATROL Agent installed on a high value target (domain controller), you can use a low privileged domain user to authenticate with PatrolCli and then connect to the domain controller and run commands as SYSTEM. This means any user on a domain can escalate to domain admin through PATROL Agent. NOTE: the vendor disputes this because they believe it is adequate to prevent this escalation by means of a custom, non-default configuration
Affected products
n/a · n/apublic PoCs found — 2
cve_referencewww.exploit-db.com/exploits/46556/unverifiedexploitdbwww.exploit-db.com/exploits/46556unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.