CVE-2018-13416

CRITICAL

Universal Media Server 7.1.0 - Unauthenticated XML External Entity Injection via SSDP/UPnP Parser

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-13416. PoCs published by Chris Moberly.

AI-analyzed exploit summary This exploit demonstrates an Out-of-Band XXE vulnerability in Universal Media Server's SSDP processing, allowing unauthenticated attackers to access arbitrary files, capture NetNTLM hashes, or achieve remote command execution via SMB relay attacks.

Description

In Universal Media Server (UMS) 7.1.0, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running UMS, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Exploits (1)

exploitdb WORKING POC

by Chris Moberly · textwebappsxml

https://www.exploit-db.com/exploits/45133

View Code ZIP pw:eip

This exploit demonstrates an Out-of-Band XXE vulnerability in Universal Media Server's SSDP processing, allowing unauthenticated attackers to access arbitrary files, capture NetNTLM hashes, or achieve remote command execution via SMB relay attacks.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Universal Media Server 7.1.0

No auth needed

Prerequisites: Network access to the target's LAN · UMS running and discoverable via SSDP

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1040 - Network Sniffing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45133/

Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Jul/94

Scores

CVSS v3 9.8

EPSS 0.2019

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (1)

spirton/universal_media_server 7.1.0

Published Aug 03, 2018

Tracked Since Feb 18, 2026