CVE-2018-10900

HIGH

Network Manager VPNC Username Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-10900. PoCs published by Metasploit, Denis Andzakovic, bcoles, including Metasploit module exploits/linux/local/network_manager_vpnc_username_priv_esc.

AI-analyzed exploit summary This Metasploit module exploits a newline injection vulnerability in Network Manager VPNC plugin (CVE-2018-10900) to achieve local privilege escalation by injecting a 'Password helper' directive into the VPN configuration, which executes arbitrary code as root when the connection is started.

Description

Network Manager VPNC plugin (aka networkmanager-vpnc) before version 1.2.6 is vulnerable to a privilege escalation attack. A new line character can be used to inject a Password helper parameter into the configuration data passed to VPNC, allowing an attacker to execute arbitrary commands as root.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/45313

This Metasploit module exploits a newline injection vulnerability in Network Manager VPNC plugin (CVE-2018-10900) to achieve local privilege escalation by injecting a 'Password helper' directive into the VPN configuration, which executes arbitrary code as root when the connection is started.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: NetworkManager VPNC plugin versions prior to 1.2.6
No auth needed
Prerequisites: Local access to a vulnerable system · NetworkManager with VPNC plugin installed · Ability to create VPN connections via nmcli
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Denis Andzakovic, bcoles · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/network_manager_vpnc_username_priv_esc.rb

This Metasploit module exploits a newline injection vulnerability in Network Manager VPNC to escalate privileges to root by injecting a malicious 'Password helper' directive into the VPN configuration, which executes arbitrary code as root when the connection is started.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: NetworkManager VPNC versions prior to 1.2.6
No auth needed
Prerequisites: Network Manager VPNC installed · nmcli utility available · ability to create VPN connections
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4253
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201808-03
Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00048.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45313/
Exploit, Third Party Advisory x_refsource_misc
https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc
Patch, Third Party Advisory, Vendor Advisory x_refsource_confirm
https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.novell.com/show_bug.cgi?id=1101147
Third Party Advisory, Vendor Advisory x_refsource_confirm
https://download.gnome.org/sources/NetworkManager-vpnc/1.2/NetworkManager-vpnc-1.2.6.news
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10900

Scores

CVSS v3 7.8
EPSS 0.1468
EPSS Percentile 94.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (3)
debian/debian_linux 8.0
debian/debian_linux 9.0
gnome/network_manager_vpnc < 1.2.6
Published Jul 26, 2018
Tracked Since Feb 18, 2026