CVE-2018-8495
published 2018-10-10CVE-2018-8495: A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects…
PriorityP357high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EPSS
55.80%
98.9th percentile
A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_10_servers | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_version_1607_for_32-bit_systems | — | — |
| msrc | windows_10_version_1607_for_x64-based_systems | — | — |
| msrc | windows_10_version_1703_for_32-bit_systems | — | — |
| msrc | windows_10_version_1703_for_x64-based_systems | — | — |
| msrc | windows_10_version_1709_for_32-bit_systems | — | — |
| msrc | windows_10_version_1709_for_x64-based_systems | — | — |
| msrc | windows_10_version_1803_for_32-bit_systems | — | — |
| msrc | windows_10_version_1803_for_x64-based_systems | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherwshfile:
filenameSyncAppvPublishingServer.vbs
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file.data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, cve CVE_2018_8495, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_14;)
- →The PoC exploit uses the 'wshfile:' URI scheme combined with a path traversal sequence ('../../') and invokes 'SyncAppvPublishingServer.vbs'. Network detection should look for HTTP responses containing all three patterns within close proximity.
- →The PoC also contains JavaScript event handler patterns 'window.onkeydown=e=>' and 'window.onkeydown=z=' alongside 'click()' — presence of these strings in HTTP response bodies to client endpoints is a strong indicator of exploit delivery.
- →The vulnerability is exploited via a specially crafted website delivered through Microsoft Edge; the attack vector is inbound HTTP traffic to client endpoints (to_client flow direction). ↗
- →A public Proof of Concept was published by researcher Abdulrahman Al-Qabandi on October 11, 2018, providing a blueprint for exploitation. Treat any traffic referencing the PoC URL (leucosite.com/Microsoft-Edge-RCE/) as high-confidence indicator. ↗
- ·The Emerging Threats Snort rule (sid:2026488) targets the specific PoC payload patterns; variants or obfuscated exploits may not match. The rule is classified 'confidence Medium' by the rule author.
- ·Exploitation requires specific user interaction — the user must visit the attacker-controlled page and perform a specific action; passive network monitoring alone may miss the full attack chain. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Shell Remote Code Execution Vulnerability
vendor_msrc·2018-10-09·CVSS 4.2
CVE-2018-8495 [HIGH] Windows Shell Remote Code Execution Vulnerability
Windows Shell Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Windows Shell improperly handles URIs. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attack requires specific user interaction which an attacker would need to trick the user into performing. There is no way an atta
GHSA
GHSA-mc99-9q9v-9cj5: A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability
ghsa_unreviewed·2022-05-13
CVE-2018-8495 [HIGH] CWE-22 GHSA-mc99-9q9v-9cj5: A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability
A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.
Suricata
ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)
suricata·2018-10-15·CVSS 7.5
CVE-2018-8495 [HIGH] ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)
ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file.data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, cve CVE_2018_8495, deployment Perimeter, confidence Me
No public exploits indexed.
Tenable
Microsoft’s October 2018 Security Update: There's More to the Story
blogs_tenable·2018-10-15
Microsoft’s October 2018 Security Update: There's More to the Story
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Microsoft’s October 2018 Security Update: There's More to the Story
blogs_tenable·2018-10-15·CVSS 7.8
[HIGH] Microsoft’s October 2018 Security Update: There's More to the Story
Blog / Cyber Exposure Alerts
Subscribe
# Microsoft’s October 2018 Security Update: There's More to the Story
Satnam Narang
October 15, 2018
3 Min Read
A week after Microsoft addressed 49 vulnerabilities in its October 2018 Security Update, new developments have emerged that change the threat profile of some of them.
## Background
On Tuesday, October 9, Microsoft released its October 2018 Security Update, also known as Patch Tuesday. This security update contained fixes for 49 vulnerabilities. Since the publication of this security update, new developments have emerged that change the threat profile of some of these vulnerabilities. The most notable developments center around vulnerabilities in Microsoft Windows Shell, Microsoft Win32k.sys and Microsoft JET Database Engine.
## Vulne
Trendmicro
Patch Tuesday Fixes JET Database Engine, Win32K bugs
blogs_trendmicro·2018-10-10·CVSS 7.8
CVE-2018-8423 [HIGH] Patch Tuesday Fixes JET Database Engine, Win32K bugs
Exploits y vulnerabilidades
## Patch Tuesday Fixes JET Database Engine, Win32K bugs
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code.
By: Trend Micro Oct 10, 2018 Read time: ( words)
Save to Folio
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability ( CVE-2018-8423 ) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code. The vulnerability, which was rated as Important, can allow an attacker to send a specially crafted file containing data in the JET database format. When accessed on a machine, it can allow the JET database engine to execute an out-of-bounds write that would
Trendmicro
Patch Tuesday Fixes JET Database Engine, Win32K bugs
blogs_trendmicro·2018-10-10·CVSS 7.8
CVE-2018-8423 [HIGH] Patch Tuesday Fixes JET Database Engine, Win32K bugs
Exploits & Vulnerabilities
# Patch Tuesday Fixes JET Database Engine, Win32K bugs
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code.
By: Trend Micro
2018/10/10
Read time: ( words)
Save to Folio
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code. The vulnerability, which was rated as Important, can allow an attacker to send a specially crafted file containing data in the JET database format. When accessed on a machine, it can allow the JET database engine to execute an out-of-bounds write that would then
Trendmicro
Patch Tuesday Fixes JET Database Engine, Win32K bugs
blogs_trendmicro·2018-10-10·CVSS 7.8
CVE-2018-8423 [HIGH] Patch Tuesday Fixes JET Database Engine, Win32K bugs
Exploits & Vulnerabilities
## Patch Tuesday Fixes JET Database Engine, Win32K bugs
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code.
By: Trend Micro Oct 10, 2018 Read time: ( words)
Save to Folio
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability ( CVE-2018-8423 ) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code. The vulnerability, which was rated as Important, can allow an attacker to send a specially crafted file containing data in the JET database format. When accessed on a machine, it can allow the JET database engine to execute an out-of-bounds write that would t
Trendmicro
Patch Tuesday Fixes JET Database Engine, Win32K bugs
blogs_trendmicro·2018-10-10·CVSS 7.8
CVE-2018-8423 [HIGH] Patch Tuesday Fixes JET Database Engine, Win32K bugs
Exploits & Vulnerabilities
## Patch Tuesday Fixes JET Database Engine, Win32K bugs
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code.
By: Trend Micro 2018/10/10 Read time: ( words)
Save to Folio
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability ( CVE-2018-8423 ) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code. The vulnerability, which was rated as Important, can allow an attacker to send a specially crafted file containing data in the JET database format. When accessed on a machine, it can allow the JET database engine to execute an out-of-bounds write that would the
Trendmicro
Patch Tuesday Fixes JET Database Engine, Win32K bugs
blogs_trendmicro·2018-10-10·CVSS 7.8
CVE-2018-8423 [HIGH] Patch Tuesday Fixes JET Database Engine, Win32K bugs
Ausnutzung von Schwachstellen
## Patch Tuesday Fixes JET Database Engine, Win32K bugs
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability (CVE-2018-8423) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code.
By: Trend Micro Oct 10, 2018 Read time: ( words)
Save to Folio
This month’s Patch Tuesday fixes a JET Database Engine Vulnerability ( CVE-2018-8423 ) that Trend Micro’s Zero Day Initiative (ZDI) disclosed last September together with a proof of concept code. The vulnerability, which was rated as Important, can allow an attacker to send a specially crafted file containing data in the JET database format. When accessed on a machine, it can allow the JET database engine to execute an out-of-bounds write that woul
Talos
Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage
blogs_talos·2018-10-09·CVSS 7.5
[HIGH] Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, 12 of which are rated "critical," 34 that are rated "important,” two that are considered to have “moderate” severity and one that’s rated as “low.”
The advisories cover bugs in the Chakra scripting engine, the Microsoft Edge internet browser and the Microsoft Office suite of products, among other software.
This update also includes a critical advisory that covers updates to the Microsoft Office suite of products.
Please visit the SNORTⓇ blog here if you would like to know more about the coverage we have for these vulnerabilities.
Critical vulnerabilities
Microsoft has disclosed 12 critical vulnerabilities this mont
Talos
Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage
blogs_talos·2018-10-09·CVSS 7.5
[HIGH] Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — October 18: Vulnerability disclosures and Snort coverage
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 49 vulnerabilities, 12 of which are rated "critical," 34 that are rated "important,” two that are considered to have “moderate” severity and one that’s rated as “low.”
The advisories cover bugs in the Chakra scripting engine, the Microsoft Edge internet browser and the Microsoft Office suite of products, among other software.
This update also includes a critical advisory that covers updates to the Microsoft Office suite of products .
Please visit the SNORTⓇ blog here if you would like to know more about the coverage we have for these vulnerabilities.
Zscaler
Security Advisory – October 09, 2018
blogs_zscaler·CVSS 9.3
[CRITICAL] Security Advisory – October 09, 2018
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://www.securityfocus.com/bid/105461https://leucosite.com/Microsoft-Edge-RCE/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8495http://www.securityfocus.com/bid/105461https://leucosite.com/Microsoft-Edge-RCE/https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8495
2018-10-10
Published