CVE-2018-16672

MEDIUM

CIRCONTROL CirCarLife <4.3 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-16672. PoCs published by SadFud.

AI-analyzed exploit summary This exploit targets CirCarLife SCADA systems (versions < 4.3.0) and PsiOcppApp (versions < 1.5.0) to disclose sensitive information, including admin credentials, via multiple endpoints. It leverages CVE-2018-12634 and related CVEs to extract software versions, PLC statuses, installation paths, and GPRS modem details.

Description

An issue was discovered in CIRCONTROL CirCarLife before 4.3. Due to the storage of multiple sensitive information elements in a JSON format at /services/system/setup.json, an authenticated but unprivileged user can exfiltrate critical setup information.

Exploits (1)

exploitdb WORKING POC
by SadFud · pythonwebappshardware
https://www.exploit-db.com/exploits/45384

This exploit targets CirCarLife SCADA systems (versions < 4.3.0) and PsiOcppApp (versions < 1.5.0) to disclose sensitive information, including admin credentials, via multiple endpoints. It leverages CVE-2018-12634 and related CVEs to extract software versions, PLC statuses, installation paths, and GPRS modem details.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: CirCarLife SCADA < 4.3.0, PsiOcppApp < 1.5.0
No auth needed
Prerequisites: Network access to the target system · Exposed endpoints (e.g., /html/log, /services/system/info.html)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45384/

Scores

CVSS v3 6.5
EPSS 0.0172
EPSS Percentile 74.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
circontrol/circarlife_scada < 4.3
Published Sep 26, 2018
Tracked Since Feb 18, 2026