cbcvebase.
CVE-2018-1000094
published 2018-03-13

CVE-2018-1000094: CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access…

PriorityP261high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
40.55%
98.5th percentile
CMS Made Simple version 2.2.5 contains a Remote Code Execution vulnerability in File Manager that can result in Allows an authenticated admin that has access to the file manager to execute code on the server. This attack appear to be exploitable via File upload -> copy to any extension.

Affected

1 ranges
VendorProductVersion rangeFixed in
cmsmadesimplecms_made_simple

Detection & IOCsextracted from sources · hover to see the quote

path/admin/moduleinterface.php
path/uploads/shell.php
filenamecmsmsrce.txt
filenameshell.php
commandmact=FileManager,m1_,upload,0
commandmact=FileManager,m1_,fileaction,0
bytes
<?php system($_GET[
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS CMS Made Simple Remote Code Execution"; flow:established,to_server; http.uri; content:"/admin/moduleinterface.php"; fast_pattern; endswith; http.request_body; content:"<?php system($_GET["; reference:cve,2018-1000094; reference:url,exploit-db.com/exploits/44977/; classtype:attempted-user; sid:2025782; rev:3; metadata:attack_target Web_Server, created_at 2018_07_05, cve CVE_2018_100009, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Look for POST requests to /admin/moduleinterface.php with mact=FileManager,m1_,upload,0 followed shortly by mact=FileManager,m1_,fileaction,0 with m1_fileactioncopy parameter — this two-step sequence (upload .txt then copy to .php) is the exploit chain.
  • Detect PHP webshell payload in HTTP request body targeting /admin/moduleinterface.php; the ET rule keys on the string '<?php system($_GET[' in the POST body.
  • Monitor the /uploads/ directory for newly created .php files; the exploit copies an uploaded .txt file to shell.php in the web root's uploads directory, which is then directly accessible via HTTP.
  • The exploit uses a base64-encoded serialized PHP array for the m1_selall parameter to reference the uploaded file during the copy/rename step — look for base64 blobs in m1_selall POST fields.
  • The CSRF token parameter '__c' is extracted from the redirect Location header after login and reused in subsequent exploit requests — correlate authenticated sessions making rapid FileManager module calls.
  • ·Exploit requires valid admin credentials — this is an authenticated RCE, so detection should focus on admin-authenticated sessions abusing the FileManager module rather than unauthenticated access.
  • ·The Metasploit module confirms the vulnerability affects both 2.2.5 and 2.2.7; detections should not be scoped only to 2.2.5.
  • ·The ET Snort rule (sid:2025782) contains a metadata field listing 'cve CVE_2018_100009' which appears to be a typo for CVE-2018-1000094; do not rely on the CVE metadata field in that rule for accurate CVE mapping.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.