CVE-2018-10832

MEDIUM

ModbusPal 1.6b - XML External Entity Injection via Crafted .xmpp or .xmpa Files

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-10832. PoCs published by Trent Gordon.

AI-analyzed exploit summary This exploit demonstrates an XXE injection vulnerability in ModbusPal 1.6b, allowing an attacker to exfiltrate local file contents by crafting malicious .xmpp or .xmpa files. The PoC uses a remote XML entity to read /etc/issue and send its contents to an attacker-controlled server.

Description

ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based, which are vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal, will return the contents of any local files to a remote attacker.

Exploits (1)

exploitdb WORKING POC
by Trent Gordon · textwebappsjava
https://www.exploit-db.com/exploits/44607

This exploit demonstrates an XXE injection vulnerability in ModbusPal 1.6b, allowing an attacker to exfiltrate local file contents by crafting malicious .xmpp or .xmpa files. The PoC uses a remote XML entity to read /etc/issue and send its contents to an attacker-controlled server.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ModbusPal 1.6b
No auth needed
Prerequisites: Attacker-controlled server to host malicious XML file · Victim must open the crafted .xmpa or .xmpp file in ModbusPal
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44607/

Scores

CVSS v3 5.5
EPSS 0.0602
EPSS Percentile 92.4%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-611
Status published
Products (1)
modbuspal_project/modbuspal 1.6 b
Published May 11, 2018
Tracked Since Feb 18, 2026