CVE-2018-15133
published 2018-08-09CVE-2018-15133: In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted…
PriorityP188high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-06
Exploited in the wild
EPSS
76.81%
99.5th percentile
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-laravel-framework | — | — |
| giflib_project | giflib | >= 0 < 5.1.4-0.3~16.04.1 | 5.1.4-0.3~16.04.1 |
| giflib_project | giflib | >= 0 < 5.1.4-2ubuntu0.1 | 5.1.4-2ubuntu0.1 |
| laravel | framework | 0 – 5.5.40 | — |
| laravel | framework | >= 5.6.0 < 5.6.30 | 5.6.30 |
| laravel | laravel | <= 5.5.40 | — |
| laravel | laravel | 5.6.0 – 5.6.29 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect HTTP POST requests for a malicious X-XSRF-TOKEN header containing a base64-encoded, AES-256-CBC encrypted PHP serialized payload (JSON structure with 'iv', 'value', 'mac' keys) targeting index.php. ↗
- →Alert on HTTP responses containing 'DecryptException' and 'APP_KEY' in the body, which indicates the application key may be leaking via Laravel framework error messages. ↗
- →Monitor for GET requests to /.env on Laravel application servers; a successful response containing 'APP_KEY' indicates credential exposure exploitable for RCE (CVE-2017-16894 chained with CVE-2018-15133). ↗
- →Review outgoing GET requests (via cURL) to file hosting sites such as GitHub or pastebin, particularly when the request accesses a .php file, as this is a post-exploitation indicator of Androxgh0st activity. ↗
- →Check for the presence of XSRF-TOKEN or laravel_session cookies/headers in HTTP traffic as a prerequisite indicator that the target is a Laravel application susceptible to this vulnerability. ↗
- ·Exploitation requires the attacker to know the Laravel APP_KEY (base64-encoded, 32-byte AES key from the .env file). Without it, the encrypted payload cannot be crafted. The key may be leaked via exposed .env files (CVE-2017-16894) or Laravel debug-mode error pages. ↗
- ·The vulnerability affects Laravel Framework versions 5.5.40 and 5.6.x through 5.6.29; the fix was introduced in 5.6.30. Both AES-256-CBC and potentially AES-128-CBC cipher modes are relevant to payload generation. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
vulncheck8.1HIGH
cisa8.1HIGH
vendor_debian8.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Laravel Deserialization of Untrusted Data Vulnerability
cisa·2024-01-16·CVSS 8.1
CVE-2018-15133 [HIGH] CWE-502 Laravel Deserialization of Untrusted Data Vulnerability
Vulnerability: Laravel Deserialization of Untrusted Data Vulnerability
Affected: Laravel Laravel Framework
Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30; https://nvd.nist.gov/vuln/detail/CVE-2018-15133
Remediation Due Date: 2024-02-06
Debian
CVE-2018-15133: php-laravel-framework - In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execut...
vendor_debian·2018·CVSS 8.1
CVE-2018-15133 [HIGH] CVE-2018-15133: php-laravel-framework - In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execut...
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
Laravel Framework RCE Vulnerability
ghsa·2022-05-14
CVE-2018-15133 [HIGH] CWE-502 Laravel Framework RCE Vulnerability
Laravel Framework RCE Vulnerability
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in `Illuminate/Encryption/Encrypter.php` and PendingBroadcast in `gadgetchains/Laravel/RCE/3/chain.php` in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
OSV
Laravel Framework RCE Vulnerability
osv·2022-05-14
CVE-2018-15133 [HIGH] Laravel Framework RCE Vulnerability
Laravel Framework RCE Vulnerability
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in `Illuminate/Encryption/Encrypter.php` and PendingBroadcast in `gadgetchains/Laravel/RCE/3/chain.php` in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.
OSV
giflib vulnerabilities
osv·2019-08-20·CVSS 5.5
CVE-2016-3977 giflib vulnerabilities
giflib vulnerabilities
It was discovered that GIFLIB incorrectly handled certain GIF files.
An attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS. (CVE-2016-3977)
It was discovered that GIFLIB incorrectly handled certain GIF files.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2018-11490, CVE-2019-15133)
VulnCheck
Laravel Deserialization of Untrusted Data Vulnerability
vulncheck·2018·CVSS 8.1
CVE-2018-15133 [HIGH] CWE-502 Laravel Deserialization of Untrusted Data Vulnerability
Laravel Deserialization of Untrusted Data Vulnerability
Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).
Affected: Laravel Laravel Framework
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.fortiguard.com/threat-signal-report/5066; https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/outbreak-alert/androxgh0st-malware; https://blogs.juniper.net/en-
No detection rules found.
Exploit-DB
PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)
exploitdb·2019-07-16·CVSS 8.1
CVE-2018-15133 [HIGH] PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)
PHP Laravel Framework 5.5.40 / 5.6.x 'PHP Laravel Framework token Unserialize Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x '2018-08-07',
'Author' =>
[
'Ståle Pettersen', # Discovery
'aushack', # msf exploit + other leak
],
'References' =>
[
['CVE', '2018-15133'],
['CVE', '2017-16894'],
['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'],
['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'],
['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/u
Metasploit
PHP Laravel Framework token Unserialize Remote Command Execution
metasploit
PHP Laravel Framework token Unserialize Remote Command Execution
PHP Laravel Framework token Unserialize Remote Command Execution
This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation.
Wiz
Crying Out Cloud - February Newsletter | Wiz
blogs_wiz·2024-02-01·CVSS 9.8
CVE-2023-33246 [CRITICAL] Crying Out Cloud - February Newsletter | Wiz
This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure. Let's dive in.
Here are our top picks!
## 🐞 High Profile Vulnerabilities
Apache RocketMQ RCE vulnerability exploited in-the-wild
In August 2023 researchers identified attackers exploiting CVE-2023-33246, a critical vulnerability in Apache RocketMQ, to install the DreamBus bot, a malware strain last reported about publicly in 2021. On January 5, 2024 Apache stated that the patch for CVE-2023-33246 was in fact insufficient, and an additional CVE was assigned to the bypass - CVE-2023-37582. The latter vulnerability is also being exploited in the wild, so it is recommended to patc
Tenable
Cybersecurity Snapshot: Critical Infrastructure Orgs Cautioned About Chinese Drones, While Water Plants Advised To Boost Incident Response
blogs_tenable·2024-01-19
Cybersecurity Snapshot: Critical Infrastructure Orgs Cautioned About Chinese Drones, While Water Plants Advised To Boost Incident Response
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
blogs_bleepingcomputer·2024-01-16·CVSS 9.8
[CRITICAL] FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
## FBI: Androxgh0st malware botnet steals AWS, Microsoft credentials
## Sergiu Gatlan
CISA and the FBI warned today that threat actors using Androxgh0st malware are building a botnet focused on cloud credential theft and using the stolen information to deliver additional malicious payloads.
This botnet was first spotted by Lacework Labs in 2022 and was controlling over 40,000 devices almost one year ago, according to Fortiguard Labs data.
It scans for websites and servers vulnerable to the following remote code execution (RCE) vulnerabilities: CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).
"Androxgh0st is a Python-scripted malware primarily used to target .env files that contain confidential informat
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.htmlhttps://laravel.com/docs/5.6/upgrade#upgrade-5.6.30http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.htmlhttps://laravel.com/docs/5.6/upgrade#upgrade-5.6.30https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15133
2018-08-09
Published
2024-01-16
Added to CISA KEV
Exploited in the wild