CVE-2018-1111

HIGH IN THE WILD

DHCP Client Command Injection (DynoRoot)

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2018-1111 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 6 public exploits from researchers including Metasploit, Kevin Kirsche, knqyf263, including a Metasploit module exploits/unix/dhcp/rhel_dhcp_client_command_injection.

AI-analyzed exploit summary This Metasploit module exploits CVE-2018-1111 (DynoRoot), a command injection vulnerability in the DHCP client's NetworkManager integration script in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier. It acts as a malicious DHCP server to inject arbitrary commands with root privileges via crafted DHCP options.

Description

DHCP packages in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier are vulnerable to a command injection flaw in the NetworkManager integration script included in the DHCP client. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/44890

This Metasploit module exploits CVE-2018-1111 (DynoRoot), a command injection vulnerability in the DHCP client's NetworkManager integration script in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier. It acts as a malicious DHCP server to inject arbitrary commands with root privileges via crafted DHCP options.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: DHCP client (NetworkManager integration script) in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier
No auth needed
Prerequisites: Network access to spoof DHCP responses · Target system using NetworkManager and DHCP for network configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Kevin Kirsche · pythonlocallinux
https://www.exploit-db.com/exploits/44652

This exploit leverages a DHCP client command injection vulnerability (CVE-2018-1111) in NetworkManager on RHEL/CentOS systems. It crafts a malicious DHCP response with an injected payload (default: reverse shell) to achieve remote code execution when a vulnerable client processes the response.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NetworkManager (RHEL 6.x/7.x, CentOS 6.x/7.x)
No auth needed
Prerequisites: Network access to DHCP client · Vulnerable NetworkManager version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 13 stars
by knqyf263 · poc
https://github.com/knqyf263/CVE-2018-1111

This PoC exploits CVE-2018-1111, a DHCP client command injection vulnerability in NetworkManager. The attacker script sets up a malicious DHCP server with a payload that triggers a reverse shell, while the victim script simulates a vulnerable client connecting to it.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: NetworkManager (versions prior to 1.10.6)
No auth needed
Prerequisites: Network access to the victim's DHCP client · Victim must request a DHCP lease
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 12 stars
by kkirsche · poc
https://github.com/kkirsche/CVE-2018-1111

This repository contains a working exploit for CVE-2018-1111, a DHCP client command injection vulnerability in Red Hat Enterprise Linux and CentOS. The exploit leverages a malicious DHCP server to inject arbitrary commands via DHCP options, achieving remote code execution with root privileges.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Red Hat Enterprise Linux 6.x/7.x, CentOS 6.x/7.x, Fedora 27/28 with NetworkManager
No auth needed
Prerequisites: Network access to spoof DHCP responses · Target system configured to use DHCP
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by baldassarreFe · poc
https://github.com/baldassarreFe/FEP3370-advanced-ethical-hacking

This repository contains a proof-of-concept exploit for CVE-2018-1111 (DynoRoot), a command injection vulnerability in the DHCP client implementation of Fedora and RedHat systems. The exploit leverages a rogue DHCP server to inject malicious payloads into DHCP options, which are then executed with root privileges on the victim machine.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fedora 28, RedHat with NetworkManager
No auth needed
Prerequisites: A rogue DHCP server setup · Victim machine running vulnerable Fedora/RedHat · Network access to the victim
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Felix Wilhelm · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb

This Metasploit module exploits CVE-2018-1111 (DynoRoot), a command injection vulnerability in the DHCP client's NetworkManager integration script in Red Hat Enterprise Linux 6 and 7, Fedora 28, and earlier. It leverages a malicious DHCP server or spoofed DHCP responses to execute arbitrary commands with root privileges.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Red Hat Enterprise Linux 6 and 7, Fedora 28 and earlier (DHCP client with NetworkManager)
No auth needed
Prerequisites: Network access to spoof DHCP responses · Target system using NetworkManager and DHCP for network configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1111
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2018-10
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104195
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040912
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1454
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1455
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1457
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1459
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1453
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1524
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1456
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1461
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44652/
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44890/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1458
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1460

Scores

CVSS v3 7.5
EPSS 0.8823
EPSS Percentile 99.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

InTheWild.io 2018-07-16
CWE
CWE-78 CWE-77
Status published
Products (22)
fedoraproject/fedora 26
fedoraproject/fedora 27
fedoraproject/fedora 28
redhat/enterprise_linux 6.0
redhat/enterprise_linux 6.4
redhat/enterprise_linux 6.5
redhat/enterprise_linux 6.6
redhat/enterprise_linux 6.7
redhat/enterprise_linux 7.0
redhat/enterprise_linux 7.2
... and 12 more
Published May 17, 2018
Tracked Since Feb 18, 2026