CVE-2018-6961

high

Description

VMware NSX SD-WAN Edge by VeloCloud prior to version 3.1.0 contains a command injection vulnerability in the local web UI component. This component is disabled by default and should not be enabled on untrusted networks. VeloCloud by VMware will be removing this service from the product in future releases. Successful exploitation of this issue could result in remote code execution.

References

https://www.exploit-db.com/exploits/44959/

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-6961

http://www.vmware.com/security/advisories/VMSA-2018-0011.html

http://www.securitytracker.com/id/1041210

http://www.securityfocus.com/bid/104185

Details

Source: Mitre, NVD

Published: 2018-06-11

Updated: 2026-06-17

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.86431