cbcvebase.
CVE-2018-16763
published 2018-09-09

CVE-2018-16763: FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.94%
99.6th percentile
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

Affected

1 ranges
VendorProductVersion rangeFixed in
thedaylightstudiofuel_cms<= 1.4.2

Detection & IOCsextracted from sources · hover to see the quote

url/fuel/pages/select/?filter=%27%2bpi(print(%24a%3d%27system%27))%2b%24a(%27cat%20/etc/passwd%27)%2b%27
url/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27
url/fuel/pages/select/?filter='%2Bpi(print(%24a%3D'system'))%2B%24a('<cmd>')%2B'
path/fuel/pages/select/
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fuel/pages/select/"; fast_pattern; content:"filter=|27 2b|"; content:"|2b 27|"; distance:0; reference:url,github.com/daylightstudio/FUEL-CMS/issues/478; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2018-16763; classtype:attempted-admin; sid:2036748; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2018_16763, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
filter=|27 2b| ... |2b 27|
  • Exploit targets GET requests to /fuel/pages/select/ with a `filter` parameter containing URL-encoded PHP code injection using pi(print(...)) pattern. Look for `filter=` followed by percent-encoded single-quotes and `pi(` or `system` strings.
  • The attack is Pre-Auth (no authentication required). Any GET to /fuel/pages/select/?filter= with encoded PHP eval payload should be treated as an exploitation attempt regardless of session state.
  • Shodan/FOFA fingerprinting queries used by attackers to discover targets: search for HTTP title 'fuel cms' or page title 'fuel cms'.
  • The exploit also abuses the preview/ data parameter as an alternative injection point. Monitor POST/GET requests to /fuel/preview/ with a `data` parameter containing PHP code.
  • Exploit traffic uses a local proxy on 127.0.0.1:8080 in some variants; however the key network indicator is the URI pattern, not the proxy.
  • ·The Nuclei template uses a benign test command (cat /etc/passwd) and matches on 'root:.*:0:0:' in the response to confirm RCE. Production detection rules should not rely solely on response content matching, as attackers will use different commands.
  • ·The Snort rule (ET sid:2036748 rev:2) matches on the URL-encoded single-quote byte sequence |27 2b| in the filter parameter. Attackers may vary encoding (e.g., double-encoding or alternate representations) to evade this specific byte pattern.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.