Avamar, Integrated Data Protection Appliance - Authentication Bypass (CVE-2018-1217)
307Exploiting IPs reported
Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, and 7.5.0, and Dell EMC Integrated Data Protection Appliance 2.0 and 2.1, is affected by a missing access control check vulnerability which could potentially allow a remote unauthenticated attacker to read or change the Local Download Service (LDLS) credentials. The LDLS credentials are used to connect to Dell EMC Online Support. If the LDLS configuration was changed to an invalid configuration, then Avamar Installation Manager may not be able to connect to Dell EMC Online Support web site successfully. The remote unauthenticated attacker can also read and use the credentials to login to Dell EMC Online Support, impersonating the AVI service actions using those credentials.
CrowdSec analysis
CVE-2018-1217 is a critical vulnerability in Dell EMC Avamar Server and Integrated Data Protection Appliance that stems from missing access control checks in the Avamar Installation Manager. This flaw allows remote, unauthenticated attackers to read or modify Local Download Service (LDLS) credentials, potentially enabling them to impersonate service actions or disrupt connectivity to Dell EMC Online Support. Attackers could exploit this vulnerability to gain unauthorized access, compromise sensitive credentials, and impact the integrity and availability of backup and support services.
CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.
CrowdSec network data shows that most actors exploiting CVE-2018-1217 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2018-1217 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2018-1217 is currently experiencing high visibility and active exploitation across the internet.
Attackers exploit unauthenticated POST requests to the /avi/avigui/avigwt endpoint, attempting to invoke the getLDLSConfig method in order to read or modify sensitive LDLS credentials.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.