CVE-2018-1547
Description
IBM Robotic Process Automation with Automation Anywhere 10.0 could allow a remote attacker to execute arbitrary code on the system, caused by improper output encoding in an CSV export. By persuading a victim to download the CSV export, to open it in Microsoft Excel and to confirm the two security questions, an attacker could exploit this vulnerability to run any command or program on the victim's machine. IBM X-Force ID: 142651.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Robotic Process Automation with Automation Anywhere 10.0 is vulnerable to remote code execution due to improper CSV output encoding, exploited via a specially crafted file opened in Excel.
Vulnerability
IBM Robotic Process Automation with Automation Anywhere version 10.0.0.0 is affected by a remote code execution vulnerability [1]. The issue stems from improper output encoding when generating CSV exports. An attacker can embed malicious formulas or commands within the CSV data, which are not properly sanitized before being written to the file. When the victim opens the crafted CSV export in Microsoft Excel, the formulas may be executed automatically or after user confirmation, depending on Excel's security settings [1].
Exploitation
To exploit this vulnerability, an attacker must first persuade a victim to download a specially crafted CSV export file generated by the affected IBM Robotic Process Automation software (with Automation Anywhere 10.0) [1]. The attacker does not require any special network access beyond being able to serve or link the malicious CSV to the victim. The victim must then open the CSV file in Microsoft Excel. Upon opening, Excel may display two security prompts (e.g., regarding external content or data connections). If the victim confirms these prompts, the embedded malicious command or program will execute on the victim's machine [1]. User interaction is therefore required, and the exploitation is not fully automatic.
Impact
Successful exploitation allows the attacker to execute arbitrary commands or programs on the victim's machine with the privileges of the current user. Since the attacker controls the embedded formulas, this can lead to full compromise of the system, including data exfiltration (confidentiality breach), modification or destruction of data (integrity loss), and potential further lateral movement (availability impact). The CVSS v3.0 score is 8.0 (High) with vector AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H [1], indicating high confidentiality, integrity, and availability impacts, though requiring user interaction and high attack complexity.
Mitigation
IBM released a security bulletin (swg22016197) addressing this vulnerability [1]. As of the publication date (2018-06-07), no specific workaround is available; IBM recommends upgrading to a fixed version. Users of IBM Robotic Process Automation with Automation Anywhere V10.0.0.0 should apply the patch or update as per the vendor's instructions. Additionally, administrators can advise users to exercise caution when opening CSV exports from the affected software, particularly if the file originates from untrusted sources, until the patch is applied. No other mitigations are detailed in the available references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 10.0
- Range: 10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.securityfocus.com/bid/104469mitrevdb-entryx_refsource_BID
- exchange.xforce.ibmcloud.com/vulnerabilities/142651mitrevdb-entryx_refsource_XF
News mentions
0No linked articles in our index yet.