cbcvebase.
CVE-2018-15133
published 2018-08-09

CVE-2018-15133: In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted…

PriorityP188high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-02-06
Exploited in the wild
EPSS
76.81%
99.5th percentile
In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianphp-laravel-framework
giflib_projectgiflib>= 0 < 5.1.4-0.3~16.04.15.1.4-0.3~16.04.1
giflib_projectgiflib>= 0 < 5.1.4-2ubuntu0.15.1.4-2ubuntu0.1
laravelframework0 – 5.5.40
laravelframework>= 5.6.0 < 5.6.305.6.30
laravellaravel<= 5.5.40
laravellaravel5.6.0 – 5.6.29

Detection & IOCsextracted from sources · hover to see the quote

otherX-XSRF-TOKEN
pathIlluminate/Encryption/Encrypter.php
pathgadgetchains/Laravel/RCE/3/chain.php
urlhttps://github.com/kozmic/laravel-poc-CVE-2018-15133
processIlluminate\Broadcasting\PendingBroadcast
  • Inspect HTTP POST requests for a malicious X-XSRF-TOKEN header containing a base64-encoded, AES-256-CBC encrypted PHP serialized payload (JSON structure with 'iv', 'value', 'mac' keys) targeting index.php.
  • Alert on HTTP responses containing 'DecryptException' and 'APP_KEY' in the body, which indicates the application key may be leaking via Laravel framework error messages.
  • Monitor for GET requests to /.env on Laravel application servers; a successful response containing 'APP_KEY' indicates credential exposure exploitable for RCE (CVE-2017-16894 chained with CVE-2018-15133).
  • Review outgoing GET requests (via cURL) to file hosting sites such as GitHub or pastebin, particularly when the request accesses a .php file, as this is a post-exploitation indicator of Androxgh0st activity.
  • Check for the presence of XSRF-TOKEN or laravel_session cookies/headers in HTTP traffic as a prerequisite indicator that the target is a Laravel application susceptible to this vulnerability.
  • ·Exploitation requires the attacker to know the Laravel APP_KEY (base64-encoded, 32-byte AES key from the .env file). Without it, the encrypted payload cannot be crafted. The key may be leaked via exposed .env files (CVE-2017-16894) or Laravel debug-mode error pages.
  • ·The vulnerability affects Laravel Framework versions 5.5.40 and 5.6.x through 5.6.29; the fix was introduced in 5.6.30. Both AES-256-CBC and potentially AES-128-CBC cipher modes are relevant to payload generation.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv5.5MEDIUM
vulncheck8.1HIGH
cisa8.1HIGH
vendor_debian8.1LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.