Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2018-25320 -- CVSS 9.8 Vulnerability Briefing

CVE-2018-25320 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2018-25320 is an arbitrary code execution vulnerability in ACL Analytics versions 11.x through 13.0.0.579, a data analysis and audit software platform, stemming from unsafe exposure of the application's built-in EXECUTE function.

Technical Detail

The flaw exists in ACL Analytics' EXECUTE function, which can be invoked by an attacker to run arbitrary operating system commands within the context of the application. An attacker who can interact with the application's scripting or query interface -- whether through a crafted script, project file, or other input vector -- can leverage this function to achieve remote code execution (RCE) on the underlying host. Successful exploitation grants the attacker the ability to execute arbitrary commands at the privilege level of the running ACL Analytics process, potentially leading to full system compromise, data exfiltration, or lateral movement.

Exploitation Status

No known exploit code has been publicly documented for this vulnerability, and it does not appear on CISA's Known Exploited Vulnerabilities catalog as of May 24, 2026. Despite the critical CVSS score of 9.8, exploitation has not been confirmed in the wild, and no proof-of-concept has been publicly disclosed. Organizations should not treat the absence of a known exploit as an indicator of low risk given the severity of the underlying flaw.

Who Is Targeting This

Confirmed (ATTAX-verified): TA577 (origin unspecified, motivation unknown); Lazarus Group (DPRK, nation-state motivation); Moonstone Sleet (DPRK, nation-state motivation); APT29 (Russia, nation-state motivation). The association of multiple high-confidence, nation-state-linked threat actors with this CVE warrants elevated concern, particularly for organizations in sectors commonly targeted by these groups such as financial services, government, and critical infrastructure. No additional reported (research-inferred) actor attribution is present in the current dataset.

What To Do

Organizations running ACL Analytics versions 11.x through 13.0.0.579 should prioritize upgrading to a patched version beyond 13.0.0.579 immediately, treating this as a critical-priority patch given the CVSS 9.8 score and confirmed interest from nation-state actors. Where immediate patching is not feasible, restrict access to the ACL Analytics application to trusted, authenticated users only and disable or restrict access to the EXECUTE function through application-level controls if the platform supports such configuration. Network-level controls should be applied to limit exposure of the application to internal networks and prevent internet-facing access. Monitor application and host logs for anomalous command execution activity originating from the ACL Analytics process, and review audit logs for unexpected use of scripting or EXECUTE-related functionality. Given the actor profile associated with this vulnerability, defenders should also implement enhanced monitoring for lateral movement and data staging behaviors post-exploitation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →