cbcvebase.
CVE-2018-8495
published 2018-10-10

CVE-2018-8495: A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects…

PriorityP357high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EPSS
55.80%
98.9th percentile
A remote code execution vulnerability exists when Windows Shell improperly handles URIs, aka "Windows Shell Remote Code Execution Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10_servers
microsoftwindows_10_servers
microsoftwindows_server_2016
microsoftwindows_server_2016
microsoftwindows_server_2016
msrcwindows_10_version_1607_for_32-bit_systems
msrcwindows_10_version_1607_for_x64-based_systems
msrcwindows_10_version_1703_for_32-bit_systems
msrcwindows_10_version_1703_for_x64-based_systems
msrcwindows_10_version_1709_for_32-bit_systems
msrcwindows_10_version_1709_for_x64-based_systems
msrcwindows_10_version_1803_for_32-bit_systems
msrcwindows_10_version_1803_for_x64-based_systems

Detection & IOCsextracted from sources · hover to see the quote

otherwshfile:
filenameSyncAppvPublishingServer.vbs
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Edge Remote Command Execution PoC (CVE-2018-8495)"; flow:established,to_client; file.data; content:"wshfile:"; content:"../../"; within:100; content:"SyncAppvPublishingServer.vbs"; within:200; nocase; fast_pattern; content:"window.onkeydown=e=>"; nocase; distance:0; content:"window.onkeydown=z="; nocase; distance:0; content:"click()"; nocase; distance:0; reference:url,leucosite.com/Microsoft-Edge-RCE/; reference:cve,2018-8495; classtype:attempted-user; sid:2026488; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_10_15, cve CVE_2018_8495, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_14;)
  • The PoC exploit uses the 'wshfile:' URI scheme combined with a path traversal sequence ('../../') and invokes 'SyncAppvPublishingServer.vbs'. Network detection should look for HTTP responses containing all three patterns within close proximity.
  • The PoC also contains JavaScript event handler patterns 'window.onkeydown=e=>' and 'window.onkeydown=z=' alongside 'click()' — presence of these strings in HTTP response bodies to client endpoints is a strong indicator of exploit delivery.
  • The vulnerability is exploited via a specially crafted website delivered through Microsoft Edge; the attack vector is inbound HTTP traffic to client endpoints (to_client flow direction).
  • A public Proof of Concept was published by researcher Abdulrahman Al-Qabandi on October 11, 2018, providing a blueprint for exploitation. Treat any traffic referencing the PoC URL (leucosite.com/Microsoft-Edge-RCE/) as high-confidence indicator.
  • ·The Emerging Threats Snort rule (sid:2026488) targets the specific PoC payload patterns; variants or obfuscated exploits may not match. The rule is classified 'confidence Medium' by the rule author.
  • ·Exploitation requires specific user interaction — the user must visit the attacker-controlled page and perform a specific action; passive network monitoring alone may miss the full attack chain.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vendor_msrc4.2MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.