CVE-2017-18365

CRITICAL EXPLOITED

GitHub Enterprise 2.8.0-2.8.6 - Unauthenticated Remote Code Execution via Deserialization

Title source: llm

Exploitation Summary

CVE-2017-18365 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit, including a Metasploit module exploits/linux/http/github_enterprise_secret.

AI-analyzed exploit summary This Metasploit module exploits a hard-coded session secret and unsafe deserialization in GitHub Enterprise (2.8.0-2.8.6) to achieve remote code execution. It signs a malicious serialized Ruby object and sends it via a tampered cookie to trigger arbitrary command execution.

Description

The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/github_enterprise_secret.rb

View Code ZIP pw:eip

This Metasploit module exploits a hard-coded session secret and unsafe deserialization in GitHub Enterprise (2.8.0-2.8.6) to achieve remote code execution. It signs a malicious serialized Ruby object and sends it via a tampered cookie to trigger arbitrary command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GitHub Enterprise 2.8.0 - 2.8.6

No auth needed

Prerequisites: Network access to the target GitHub Enterprise instance · Target must be running a vulnerable version (2.8.0-2.8.6)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html

Vendor Advisory x_refsource_misc

https://enterprise.github.com/releases/2.8.7/notes

Scores

CVSS v3 9.8

EPSS 0.2140

EPSS Percentile 97.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-11-10

CWE

CWE-502

Status published

Products (2)

github/github 2.8.7

github/github 2.8.0 - 2.8.7

Published Mar 28, 2019

Tracked Since Feb 18, 2026