CVE-2018-1000006

HIGH

Electron < 1.7.11 - Remote Code Execution via Protocol Handler

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2018-1000006. PoCs published by Metasploit, Wflki, CHYbeta, including Metasploit module exploits/windows/browser/exodus.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-1000006, a vulnerability in the ElectronJS framework used by Exodus Wallet, to achieve remote code execution via a crafted URL that triggers a malicious protocol handler.

Description

GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/44357

View Code ZIP pw:eip

This Metasploit module exploits CVE-2018-1000006, a vulnerability in the ElectronJS framework used by Exodus Wallet, to achieve remote code execution via a crafted URL that triggers a malicious protocol handler.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Exodus Wallet (ElectronJS Framework)

No auth needed

Prerequisites: Victim must click on a specially crafted URL · Exodus Wallet must be installed on the victim's system

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Wflki · htmlremotewindows

https://www.exploit-db.com/exploits/43899

View Code ZIP pw:eip

This exploit leverages a URI handler vulnerability in Exodus wallet to execute arbitrary commands via the '--gpu-launcher' parameter. The PoC demonstrates command injection by redirecting to a malicious 'exodus://' URI.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Exodus Wallet (versions prior to fix for CVE-2018-1000006)

No auth needed

Prerequisites: Victim must have Exodus wallet installed · Victim must interact with the malicious link

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 40 stars

by CHYbeta · poc

https://github.com/CHYbeta/CVE-2018-1000006-DEMO

View Code ZIP pw:eip

This repository demonstrates CVE-2018-1000006, a remote command execution vulnerability in Electron versions prior to 1.8.2-beta.4. The PoC includes vulnerable and fixed Electron applications, highlighting the exploit via protocol handler misuse.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Electron < 1.8.2-beta.4

No auth needed

Prerequisites: Victim must open a malicious link or file with the vulnerable Electron app

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC MANUAL

by Wflki, Daniel Teixeira · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/exodus.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in the ElectronJS framework's protocol handler, allowing remote code execution in Exodus Wallet when a user clicks a crafted URL. It serves a malicious HTML page that triggers a PowerShell payload via the 'exodus://' protocol handler.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Exodus Wallet (ElectronJS Framework)

No auth needed

Prerequisites: User interaction (clicking a malicious URL) · Exodus Wallet installed on the target system

MITRE ATT&CK