CVE-2018-16763
CVE-2018-16763
Vexday Risk Score
84Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
Exploit maturity
Functional exploit
Popular PoC on GitHub (25 stars) — exploitation code widely available.
CVSS —EPSS 82.9%KEV nãoPoC públicaNuclei simMetasploit —Patch —
Lifecycle
09 Sep 2018Published on NVD
26 Mar 2020Public PoC
Weaponization speed
563 daysto first PoC
Recommendation: Patch as soon as possible — active exploitation confirmed.
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
Affected products
n/a · n/apublic PoCs found — 46
githubgithub.com/p0dalirius/CVE-2018-16763-FuelCMS-1.4.1-RCE★ 25githubgithub.com/altsun/CVE-2018-16763-FuelCMS-1.4.1-RCE★ 5githubgithub.com/padsalatushal/CVE-2018-16763★ 5githubgithub.com/n3m1sys/CVE-2018-16763-Exploit-Python3★ 4githubgithub.com/shoamshilo/Fuel-CMS-Remote-Code-Execution-1.4--RCE--★ 3githubgithub.com/hikarihacks/CVE-2018-16763-exploit★ 2githubgithub.com/kxisxr/Bash-Script-CVE-2018-16763★ 2githubgithub.com/h3x0v3rl0rd/CVE-2018-16763★ 2githubgithub.com/not1cyyy/CVE-2018-16763★ 2githubgithub.com/dinhbaouit/CVE-2018-16763★ 1githubgithub.com/kaxm23/exploit_cms_fuel★ 1githubgithub.com/saccles/CVE_2018_16763_Proof_of_Concept★ 0githubgithub.com/antisecc/CVE-2018-16763★ 0githubgithub.com/VitoBonetti/CVE-2018-16763★ 0githubgithub.com/ArtemCyberLab/Project-Exploiting-a-Vulnerability-in-Fuel-CMS-CVE-2018-16763-★ 0githubgithub.com/bad-c0de/CVE-2018-16763_FuelCMS-1.4.1_RCE★ 0githubgithub.com/Cyberuser-hash/CVE-2018-16763★ 0githubgithub.com/estebanzarate/CVE-2018-16763-Fuel-CMS-1.4.1-Remote-Code-Execution-PoC★ 0githubgithub.com/uwueviee/Fu3l-F1lt3r★ 0githubgithub.com/SOME-1HING/CVE-2018-16763★ 0githubgithub.com/wizardy0ga/THM-Vulnerability_Capstone-CVE-2018-16763★ 0githubgithub.com/BrunoPincho/cve-2018-16763-rust★ 0vulncheckvulncheck.com/xdb/2cc8e2b339ceunverifiedcve_referencepacketstormsecurity.com/files/153696/fuelCMS-1.4.1-Remote-Code-Execution.htmlunverifiedvulncheckvulncheck.com/xdb/d8052370d9c1unverifiedcve_referencepacketstormsecurity.com/files/160080/Fuel-CMS-1.4-Remote-Code-Execution.htmlunverifiedcve_referencepacketstormsecurity.com/files/164756/Fuel-CMS-1.4.1-Remote-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/47138unverifiedexploitdbwww.exploit-db.com/exploits/49487unverifiedexploitdbwww.exploit-db.com/exploits/50477unverifiedvulncheckvulncheck.com/xdb/7736671df5bfunverifiedvulncheckvulncheck.com/xdb/df65f1b13b31unverifiedvulncheckvulncheck.com/xdb/cb5e6b86473funverifiedvulncheckvulncheck.com/xdb/a398ae86c529unverifiedvulncheckvulncheck.com/xdb/a3b720e793f2unverifiedvulncheckvulncheck.com/xdb/b674975802b1unverifiedvulncheckvulncheck.com/xdb/8115b3c12826unverifiedvulncheckvulncheck.com/xdb/51d3142a58d1unverifiedvulncheckvulncheck.com/xdb/1c8a5d144848unverifiedvulncheckvulncheck.com/xdb/37ad2c898d17unverifiedvulncheckvulncheck.com/xdb/02a33f79c86dunverifiedvulncheckvulncheck.com/xdb/082d110fb6b3unverifiedvulncheckvulncheck.com/xdb/0b231ab59595unverifiedvulncheckvulncheck.com/xdb/7cb6e21c3a23unverifiedvulncheckvulncheck.com/xdb/1a09e5d73453unverifiedvulncheckvulncheck.com/xdb/b100cd8906f7unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://packetstormsecurity.com/files/153696/fuelCMS-1.4.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/160080/Fuel-CMS-1.4-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/164756/Fuel-CMS-1.4.1-Remote-Code-Execution.htmlhttps://0xd0ff9.wordpress.com/2019/07/19/from-code-evaluation-to-pre-auth-remote-code-execution-cve-2018-16763-bypass/https://github.com/daylightstudio/FUEL-CMS/issues/478https://www.exploit-db.com/exploits/47138