CVE-2018-19422
CVE-2018-19422
Vexday Risk Score
50Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Functional exploit
Popular PoC on GitHub (8 stars) — exploitation code widely available.
CVSS —EPSS 64.3%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Lifecycle
04 Nov 2018Metasploit module available
21 Nov 2018Published on NVD
17 May 2021Public PoC
Weaponization speed
908 daysto first PoC
Recommendation: Plan a near-term fix — a public PoC already exists.
/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.
Affected products
n/a · n/apublic PoCs found — 6
githubgithub.com/hev0x/CVE-2018-19422-SubrionCMS-RCE★ 8githubgithub.com/Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-★ 6githubgithub.com/Drew-Alleman/CVE-2018-19422★ 0cve_referencepacketstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.htmlunverifiedcve_referencepacketstormsecurity.com/files/173998/Intelliants-Subrion-CMS-4.2.1-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49876unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.