CVE-2017-18486

HIGH

Jitbit Helpdesk <9.0.3 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-18486. PoCs published by Kc57.

AI-analyzed exploit summary This is a writeup describing a broken authentication vulnerability in JitBit HelpDesk <= 9.0.2. The actual exploit code is referenced as a separate download link, but no functional exploit code is provided in the text.

Description

Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privileges because of mishandling of the User/AutoLogin userHash parameter. By inspecting the token value provided in a password reset link, a user can leverage a weak PRNG to recover the shared secret used by the server for remote authentication. The shared secret can be used to escalate privileges by forging new tokens for any user. These tokens can be used to automatically log in as the affected user.

Exploits (2)

exploitdb WRITEUP

by Kc57 · textwebappsasp

https://www.exploit-db.com/exploits/42776

View Code ZIP pw:eip

This is a writeup describing a broken authentication vulnerability in JitBit HelpDesk <= 9.0.2. The actual exploit code is referenced as a separate download link, but no functional exploit code is provided in the text.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Theoretical

Target: JitBit HelpDesk <= 9.0.2

No auth needed

Prerequisites: Access to the target application

MITRE ATT&CK

T1110.001 - Password Guessing T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by Kc57 · poc

https://github.com/Kc57/JitBit_Helpdesk_Auth_Bypass

View Code ZIP pw:eip

This PoC is a brute-force tool designed to exploit CVE-2017-18486, an authentication bypass vulnerability in JitBit Helpdesk. It generates random codes and computes MD5 hashes to find a matching hash, allowing an attacker to bypass authentication.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: JitBit Helpdesk

No auth needed

Prerequisites: known hash · username · email · date in DDMM format

MITRE ATT&CK

T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory x_refsource_misc

https://www.trustedsec.com/2017/09/full-disclosure-jitbit-helpdesk-authentication-bypass-0-day

Exploit, Third Party Advisory x_refsource_misc

https://github.com/Kc57/JitBit_Helpdesk_Auth_Bypass

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/42776

Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/144334/JitBit-Helpdesk-9.0.2-Broken-Authentication.html

Scores

CVSS v3 7.2

EPSS 0.0481

EPSS Percentile 90.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-332

Status published

Products (1)

jitbit/helpdesk < 9.0.3

Published Aug 09, 2019

Tracked Since Feb 18, 2026