CVE-2018-11138: Quest KACE System Management Appliance Remote Command Execution Vulnerability

Source: CISA Known Exploited Vulnerabilities catalog · back to feed

Vendor / product

Quest · KACE System Management Appliance

Date added (KEV): Mar 25, 2022
CISA due date: Apr 15, 2022
Ransomware campaign use: Known

Required action

Apply updates per vendor instructions.

Vendor fix: Vendor advisory

Scorifya interpretation

AI-generated

A short, structured read of the record above — generated when this page first loads, then cached for a week.

Plain English

Technical detail

From CISA

The '/common/download_agent_installer.php' script in the Quest KACE System Management Appliance is accessible by anonymous users and can be abused to perform remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2018-11138

References

https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilitiesExploitTechnical DescriptionThird Party Advisory
https://www.exploit-db.com/exploits/44950/ExploitThird Party AdvisoryVDB Entry
https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilitiesExploitTechnical DescriptionThird Party Advisory
https://www.exploit-db.com/exploits/44950/Exploit

Other recent CVEs from Quest

CVE-2025-32975KACE Systems Management Appliance (SMA) — Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability

Check your domain's public posture

Scorifya doesn't test for specific CVEs, but if patching Quest changed your headers or TLS, a fresh hardening scan helps confirm nothing regressed externally.

Run a free scan Methodology