CVE-2018-16660

HIGH

Imperva SecureSphere <13.1.0.10 - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-16660. PoCs published by rsp3ar, rsp3ar <lukunming<at>gmail.com>, including Metasploit module exploits/linux/http/imperva_securesphere_exec.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in Imperva SecureSphere 13's PWS component, allowing unauthenticated or authenticated remote code execution via crafted parameters in the 'impcli' endpoint. The PoC uses base64-encoded commands injected into the 'installer-address' parameter.

Description

A command injection vulnerability in PWS in Imperva SecureSphere 13.0.0.10 and 13.1.0.10 Gateway allows an attacker with authenticated access to execute arbitrary OS commands on a vulnerable installation.

Exploits (2)

exploitdb WORKING POC VERIFIED

by rsp3ar · pythonwebappslinux

https://www.exploit-db.com/exploits/45542

View Code ZIP pw:eip

This exploit demonstrates a command injection vulnerability in Imperva SecureSphere 13's PWS component, allowing unauthenticated or authenticated remote code execution via crafted parameters in the 'impcli' endpoint. The PoC uses base64-encoded commands injected into the 'installer-address' parameter.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Imperva SecureSphere 13.0.10, 13.1.10, 13.2.10

No auth needed

Prerequisites: Network access to the target · Pre-FTL mode for unauthenticated exploitation or valid agent registration password for authenticated exploitation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by rsp3ar <lukunming<at>gmail.com> · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/imperva_securesphere_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Imperva SecureSphere 13.x by injecting commands into the 'installer-address' parameter of the PWS service. It requires valid agent registration credentials for authentication.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Imperva SecureSphere 13.0/13.1/13.2

Auth required

Prerequisites: Valid agent registration credentials · Access to the PWS service on port 443

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product, Vendor Advisory x_refsource_misc

https://www.imperva.com/products/securesphere/web-application-firewall/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/45542/

Scores

CVSS v3 8.8

EPSS 0.1857

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

imperva/securesphere 13.0.10

imperva/securesphere 13.1.10

imperva/securesphere 13.2.10

Published Apr 25, 2019

Tracked Since Feb 18, 2026