{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/acl/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25320"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ACL Analytics (11.x through 13.0.0.579)"],"_cs_severities":["critical"],"_cs_tags":["code execution","vulnerability","acl analytics"],"_cs_type":"advisory","_cs_vendors":["ACL"],"content_html":"\u003cp\u003eACL Analytics versions 11.x through 13.0.0.579 are susceptible to an arbitrary code execution vulnerability. This vulnerability, identified as CVE-2018-25320, stems from the EXECUTE function within the software. An attacker can exploit this flaw to inject and execute arbitrary commands on the targeted system. The attack involves leveraging the EXECUTE function to download and execute malicious PowerShell scripts using bitsadmin. Successful exploitation grants the attacker SYSTEM-level privileges, enabling them to establish reverse shells and gain complete control over the compromised system. This vulnerability poses a significant threat to organizations using affected versions of ACL Analytics, potentially resulting in data breaches, system compromise, and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable ACL Analytics instance running versions 11.x through 13.0.0.579.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious command that leverages the EXECUTE function within ACL Analytics.\u003c/li\u003e\n\u003cli\u003eThe crafted command uses bitsadmin to download a malicious PowerShell script from a remote server.\u003c/li\u003e\n\u003cli\u003eACL Analytics executes the bitsadmin command, downloading the PowerShell script to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe downloaded PowerShell script is then executed with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script establishes a reverse shell connection to the attacker\u0026rsquo;s controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control over the compromised system with SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can perform various malicious activities, including data exfiltration, installing malware, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25320 can lead to complete system compromise. An attacker with SYSTEM privileges can access sensitive data, install malware, and pivot to other systems within the organization\u0026rsquo;s network. This can result in significant financial losses, reputational damage, and legal liabilities. The vulnerability affects all organizations using ACL Analytics versions 11.x through 13.0.0.579, potentially impacting a wide range of sectors that rely on this software for data analysis and compliance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ACL Analytics to a patched version beyond 13.0.0.579 to remediate CVE-2018-25320.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Bitsadmin Usage for Download\u0026rdquo; to identify potential exploitation attempts using bitsadmin as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for PowerShell scripts being executed with SYSTEM privileges after a bitsadmin download, as this is a common indicator of compromise, activating the \u0026ldquo;Detect PowerShell Reverse Shell\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect reverse shell connections originating from systems running ACL Analytics.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-17T13:17:18Z","date_published":"2026-05-17T13:17:18Z","id":"https://feed.craftedsignal.io/briefs/2026-05-acl-analytics-rce/","summary":"ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability (CVE-2018-25320) that allows attackers to execute arbitrary commands by leveraging the EXECUTE function, potentially leading to remote code execution with system privileges.","title":"ACL Analytics Arbitrary Code Execution Vulnerability (CVE-2018-25320)","url":"https://feed.craftedsignal.io/briefs/2026-05-acl-analytics-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — ACL","version":"https://jsonfeed.org/version/1.1"}