CVE-2018-14667

CRITICAL KEV

RichFaces Framework 3.X-3.3.4 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-14667 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 28, 2023. EIP tracks 6 public exploits from researchers including syriusbughunt, Venscor, zeroto01.

AI-analyzed exploit summary This repository contains a working proof-of-concept exploit for CVE-2018-14667, a remote code execution vulnerability in RichFaces 3.X. The exploit leverages deserialization of malicious objects to execute arbitrary commands on the target system.

Description

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

Exploits (6)

nomisec WORKING POC 50 stars
by syriusbughunt · client-side
https://github.com/syriusbughunt/CVE-2018-14667

This repository contains a working proof-of-concept exploit for CVE-2018-14667, a remote code execution vulnerability in RichFaces 3.X. The exploit leverages deserialization of malicious objects to execute arbitrary commands on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RichFaces 3.X
No auth needed
Prerequisites: Target system running RichFaces 3.X · Network access to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 8 stars
by Venscor · remote
https://github.com/Venscor/CVE-2018-14667-poc

This repository contains a working PoC for CVE-2018-14667, a deserialization vulnerability in RichFaces. The exploit generates a malicious serialized object that, when deserialized, executes arbitrary EL expressions leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: RichFaces (versions affected by CVE-2018-14667)
No auth needed
Prerequisites: Target must be running a vulnerable version of RichFaces · Network access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by zeroto01 · poc
https://github.com/zeroto01/CVE-2018-14667

This repository contains a proof-of-concept exploit for CVE-2018-14667, a vulnerability in the Windows operating system that allows for remote code execution. The exploit is provided as a JavaScript file that, when executed, launches the Windows calculator application as a demonstration of the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows (specific version not specified)
No auth needed
Prerequisites: Access to the target system · Ability to execute JavaScript on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by quandqn · poc
https://github.com/quandqn/cve-2018-14667

This PoC exploits CVE-2018-14667, a deserialization vulnerability in JBoss RichFaces, by crafting a malicious serialized object that executes arbitrary EL expressions. The payload leverages JavaScript engine execution to achieve remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: JBoss RichFaces (versions affected by CVE-2018-14667)
No auth needed
Prerequisites: Target must be running a vulnerable version of JBoss RichFaces · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by r00t4dm · poc
https://github.com/r00t4dm/CVE-2018-14667

This repository contains a proof-of-concept exploit for CVE-2018-14667, a deserialization vulnerability in RichFaces. The exploit generates a malicious serialized object that, when deserialized, executes arbitrary commands via EL expressions.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: RichFaces (specific version not specified)
No auth needed
Prerequisites: Access to a vulnerable RichFaces application · Ability to send crafted serialized data to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by nareshmail · poc
https://github.com/nareshmail/cve-2018-14667

This repository contains a README file with a brief description and a GIF demonstrating CVE-2018-14667, a vulnerability in the V8 JavaScript engine. No exploit code or technical details are provided.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: V8 JavaScript engine (specific version not specified)
No auth needed
Prerequisites: none specified
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3519
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3581
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3518
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3517
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1042037
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Mar/21

Scores

CVSS v3 9.8
EPSS 0.8946
EPSS Percentile 99.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-09-28
VulnCheck KEV 2023-09-28
InTheWild.io 2023-09-28
ENISA EUVD EUVD-2022-4307
CWE
CWE-94
Status published
Products (4)
org.richfaces/richfaces-core 0 - 3.3.4Maven
redhat/enterprise_linux 5.0
redhat/enterprise_linux 6.0
redhat/richfaces 3.1.0 - 3.3.4
Published Nov 06, 2018
KEV Added Sep 28, 2023
Tracked Since Feb 18, 2026