CVE-2018-16509

HIGH EXPLOITED IN THE WILD LAB

Artifex Ghostscript <9.24 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2018-16509 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 6 public exploits from researchers including Metasploit, farisv, knqyf263, including a Metasploit module exploits/multi/fileformat/ghostscript_failed_restore.

AI-analyzed exploit summary This Metasploit module exploits a -dSAFER bypass in Ghostscript (CVE-2018-16509) by manipulating PostScript commands to execute arbitrary commands. It supports multiple targets including Unix, PowerShell, and Linux droppers.

Description

An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocallinux

https://www.exploit-db.com/exploits/45369

View Code ZIP pw:eip

This Metasploit module exploits a -dSAFER bypass in Ghostscript (CVE-2018-16509) by manipulating PostScript commands to execute arbitrary commands. It supports multiple targets including Unix, PowerShell, and Linux droppers.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ghostscript (versions affected by CVE-2018-16509)

No auth needed

Prerequisites: Victim must process a malicious PostScript file · Ghostscript with vulnerable version

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 58 stars

by farisv · remote-auth

https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509

View Code ZIP pw:eip

This repository provides a working proof-of-concept for CVE-2018-16509, exploiting a Ghostscript vulnerability via PIL/Pillow to achieve remote command execution. The exploit leverages a crafted EPS file to bypass -dSAFER restrictions in Ghostscript versions before 9.24.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ghostscript < 9.24 (via PIL/Pillow)

No auth needed

Prerequisites: Ghostscript < 9.24 installed on the target system · PIL/Pillow library used to process uploaded images · Ability to upload a crafted EPS file to the target application

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by knqyf263 · poc

https://github.com/knqyf263/CVE-2018-16509

View Code ZIP pw:eip

This repository demonstrates a Ghostscript -dSAFER sandbox bypass vulnerability (CVE-2018-16509) via a PHP script that processes image uploads using Imagick, which relies on Ghostscript. The exploit leverages improper handling of PostScript files to bypass security restrictions.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ghostscript (versions prior to 9.24)

No auth needed

Prerequisites: A vulnerable version of Ghostscript · Ability to upload a malicious PostScript file

MITRE ATT&CK

T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by rhpco · poc

https://github.com/rhpco/CVE-2018-16509

View Code ZIP pw:eip

This repository contains a working exploit for CVE-2018-16509, a privilege escalation vulnerability in Ghostscript. The exploit leverages incorrect restoration of privilege checks during handling of /invalidaccess exceptions to execute arbitrary code via the 'pipe' instruction.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Artifex Ghostscript before 9.24

No auth needed

Prerequisites: Ability to supply crafted PostScript to the target system

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by cved-sources · poc

https://github.com/cved-sources/cve-2018-16509

View Code ZIP pw:eip

The repository contains a minimal PHP script demonstrating image resizing via Imagick, but lacks exploit-specific code for CVE-2018-16509. The README references a Docker container management tool without providing exploit details.

Classification

Stub 80%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: ImageMagick (Imagick PHP extension)

No auth needed

Prerequisites: PHP with Imagick extension enabled

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Tavis Ormandy, wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb

View Code ZIP pw:eip

This Metasploit module exploits a -dSAFER bypass in Ghostscript (CVE-2018-16509) by manipulating a failed restore in PostScript to disable LockSafetyParams and execute arbitrary commands. It supports multiple targets including Unix, PowerShell, and Linux dropper payloads.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ghostscript (versions affected by CVE-2018-16509)

No auth needed

Prerequisites: Access to a system with vulnerable Ghostscript · Ability to deliver a malicious PostScript file

MITRE ATT&CK