CVE-2018-15657

HIGH

42gears SureMDM < 2018-11-27 - Server-Side Request Forgery via DownloadUrlResponse.ashx URL Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-15657. PoCs published by Digital Interruption.

AI-analyzed exploit summary This exploit demonstrates a Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerability in SureMDM prior to the November 2018 patch. The vulnerability allows an attacker to read local files or force the server to fetch remote files via the 'url' parameter in the DownloadUrlResponse.ashx endpoint.

Description

An SSRF issue was discovered in 42Gears SureMDM before 2018-11-27 via the /api/DownloadUrlResponse.ashx "url" parameter.

Exploits (1)

exploitdb WORKING POC
by Digital Interruption · textwebappswindows
https://www.exploit-db.com/exploits/46305

This exploit demonstrates a Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerability in SureMDM prior to the November 2018 patch. The vulnerability allows an attacker to read local files or force the server to fetch remote files via the 'url' parameter in the DownloadUrlResponse.ashx endpoint.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: SureMDM versions prior to November 2018 patch
Auth required
Prerequisites: Valid API key · Network access to the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46305/

Scores

CVSS v3 7.3
EPSS 0.0156
EPSS Percentile 72.2%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-918
Status published
Products (1)
42gears/suremdm < 2018-11-27
Published Feb 05, 2019
Tracked Since Feb 18, 2026