CVE-2018-20221
Description
Secure/SAService.rem in Deltek Ajera Timesheets 9.10.16 and prior are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Deltek Ajera Timesheets <= 9.10.16 allows authenticated remote code execution via deserialization in Secure/SAService.rem.
Vulnerability
Secure/SAService.rem endpoint in Deltek Ajera Timesheets versions prior to and including 9.10.16 performs insecure deserialization of user-supplied data. The vulnerability allows an authenticated attacker to trigger deserialization of arbitrary .NET objects, leading to remote code execution. Affected versions: <= 9.10.16 [1].
Exploitation
An attacker must have valid authentication credentials (e.g., an ASPXAUTH cookie) to access the vulnerable endpoint. The attacker crafts a malicious serialized payload using tools like ysoserial.net and sends it to Secure/SAService.rem. The server then deserializes the payload, executing arbitrary commands in the context of the IIS Application Pool [1].
Impact
Successful exploitation results in remote code execution as the IIS Application Pool user, which typically has high privileges on the web server. This can lead to full compromise of the application and underlying system, including data exfiltration, installation of backdoors, and lateral movement [1].
Mitigation
As of the public disclosure, no official patch or mitigation has been released by Deltek. Users are advised to restrict network access to the vulnerable endpoint, apply the principle of least privilege to the application pool account, and monitor for suspicious activity. Upgrading to a version newer than 9.10.16 may address the issue, but no confirmation is available from the vendor [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=9.10.16
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- packetstormsecurity.com/files/151035/Ajera-Timesheets-9.10.16-Deserialization.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/46086/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.