CVE-2018-7700
published 2018-03-27CVE-2018-7700: DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in…
PriorityP184high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
74.84%
99.4th percentile
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dedecms | dedecms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5%28%22CVE-2018-7700%22%29%3B{/dede:field}
- →Look for GET requests to tag_test_action.php containing a 'partcode' parameter with 'runphp=yes' — this is the exploitation vector for CSRF-triggered RCE. ↗
- →Probe responses containing the MD5 string '4cc32a3a81d2bb37271934a48ce4468a' (md5('CVE-2018-7700')) with HTTP 200 confirm successful RCE via the runphp tag injection.
- →Shodan/FOFA fingerprinting: identify exposed DedeCMS instances via 'http.html:"dedecms"' or 'body="dedecms"' before probing for the vulnerability.
- ·The exploit requires the victim (authenticated admin) to follow a crafted link or be subjected to a CSRF trigger — the token parameter is left empty in the PoC, suggesting token validation is absent or bypassable in DedeCMS 5.7SP2. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r537-6cxx-h2mh: DedeCMS 5
ghsa_unreviewed·2022-05-14
CVE-2018-7700 [HIGH] CWE-352 GHSA-r537-6cxx-h2mh: DedeCMS 5
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
VulnCheck
dedecms dedecms Cross-Site Request Forgery (CSRF)
vulncheck·2018·CVSS 8.8
CVE-2018-7700 [HIGH] dedecms dedecms Cross-Site Request Forgery (CSRF)
dedecms dedecms Cross-Site Request Forgery (CSRF)
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
Affected: dedecms dedecms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2018-7700; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2018-7700; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-19&
No detection rules found.
Nuclei
DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
nuclei·CVSS 8.8
CVE-2018-7700 [HIGH] DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
Template:
id: CVE-2018-7700
info:
name: DedeCMS 5.7SP2 - Cross-Site Request Forgery/Remote Code Execution
author: pikpikcu
severity: high
description: |
DedeCMS 5.7SP2 is susceptible to cross-site request forgery with a corresponding impact of arbitrary code execution because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
impact: |
Successful exploitation of these vulnerabilities can lead to unauthorized actions performed o
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2018-03-27
Published
Exploited in the wild