cbcvebase.
CVE-2018-19276
published 2019-03-21

CVE-2018-19276: OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.81%
99.9th percentile
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

Affected

3 ranges
VendorProductVersion rangeFixed in
openmrsopenmrs>= 1.12.0 < 1.12.11.12.1
openmrsopenmrs>= 2.0.0 < 2.0.82.0.8
openmrsopenmrs>= 2.1.0 < 2.1.42.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/ws/rest/v1/concept
port8081
commandsh -c <cmd> (via xml_data = "sh-c#{cmd}" POST to /ws/rest/v1/concept with Content-Type: text/xml)
othercom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data
otherjava.lang.ProcessBuilder
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:""; content:""; distance:0; content:""; distance:0; content:""; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_07, reviewed_at 2024_05_06;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276"; flow:established,to_server; urilen:19; http.method; content:"POST"; http.uri; content:"/ws/rest/v1/concept"; fast_pattern; http.request_body; content:""; content:""; distance:0; content:""; distance:0; content:""; distance:0; reference:url,www.rapid7.com/db/modules/exploit/multi/http/openmrs_deserialization; reference:cve,2018-19276; classtype:attempted-admin; sid:2030258; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07;)
  • Detect exploit attempts by matching HTTP POST requests to URI /ws/rest/v1/concept (urilen:19) with XML body containing XStream deserialization gadget markers (e.g., java.lang.ProcessBuilder, com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data).
  • Look for HTTP POST requests with Content-Type: text/xml to /ws/rest/v1/concept; the exploit sends XML with Content-Type text/xml rather than application/json.
  • The server response to a successful (but caught) deserialization attempt contains the string 'Could not read [class org.openmrs.module.webservices.rest.SimpleObject]' and 'XStream unmarshalling exception'; monitor for this error in HTTP responses as evidence of exploitation attempts.
  • The payload is deserialized before the exception handler catches it; a 500/error JSON response does NOT rule out successful RCE — monitor for outbound reverse shell connections (e.g., nc) from the OpenMRS/Tomcat process.
  • The Metasploit module targets port 8081 by default; monitor for exploitation attempts on non-standard HTTP ports hosting OpenMRS.
  • The exploit uses the ImageIO component of the XStream library as the deserialization gadget chain; look for XStream-related class names in POST body content to /ws/ endpoints.
  • For nuclei-based detection, match DNS interaction via interactsh combined with application/json Content-Type and body containing 'message":' in response to a crafted POST, covering both /openmrs and root path variants.
  • ·The vulnerability affects OpenMRS Platform versions before 2.24.0; versions v2.1.2 and v2.21 were confirmed exploitable in testing.
  • ·The vulnerability is in the `webservices.rest` module; if this module is disabled or not installed, the attack surface is removed.
  • ·Exploitation is unauthenticated — no credentials are required, making perimeter detection critical.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.