CVE-2018-16671

MEDIUM NUCLEI

CIRCONTROL CirCarLife <4.3 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-16671. PoCs published by SadFud. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets CirCarLife SCADA systems (versions < 4.3.0) and PsiOcppApp (versions < 1.5.0) to disclose sensitive information, including admin credentials, via multiple endpoints. It leverages CVE-2018-12634 and related CVEs to extract software versions, PLC statuses, installation paths, and GPRS modem details.

Description

An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is system software information disclosure due to lack of authentication for /html/device-id.

Exploits (1)

exploitdb WORKING POC
by SadFud · pythonwebappshardware
https://www.exploit-db.com/exploits/45384

This exploit targets CirCarLife SCADA systems (versions < 4.3.0) and PsiOcppApp (versions < 1.5.0) to disclose sensitive information, including admin credentials, via multiple endpoints. It leverages CVE-2018-12634 and related CVEs to extract software versions, PLC statuses, installation paths, and GPRS modem details.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: CirCarLife SCADA < 4.3.0, PsiOcppApp < 1.5.0
No auth needed
Prerequisites: Network access to the target system · Exposed endpoints (e.g., /html/log, /services/system/info.html)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

CirCarLife <4.3 - Improper Authentication
MEDIUMby geeknik

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45384/

Scores

CVSS v3 5.3
EPSS 0.0892
EPSS Percentile 94.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
circontrol/circarlife_scada < 4.3
Published Sep 18, 2018
Tracked Since Feb 18, 2026