CVE-2018-17553

HIGH

Navigate CMS 2.8 - Authenticated Remote Code Execution via Directory Traversal in navigate_upload.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-17553. PoCs published by Metasploit, MidwintersTomb, Pyriphlegethon, including Metasploit module exploits/multi/http/navigate_cms_rce.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass (CVE-2018-17552) and a file upload vulnerability (CVE-2018-17553) in Navigate CMS 2.8 and prior to achieve unauthenticated remote code execution. It bypasses login via SQL injection and uploads a malicious PHP file to execute arbitrary code.

Description

An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/45561

This Metasploit module exploits an authentication bypass (CVE-2018-17552) and a file upload vulnerability (CVE-2018-17553) in Navigate CMS 2.8 and prior to achieve unauthenticated remote code execution. It bypasses login via SQL injection and uploads a malicious PHP file to execute arbitrary code.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Navigate CMS <= 2.8
No auth needed
Prerequisites: Network access to the target · Navigate CMS installation with vulnerable endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by MidwintersTomb · poc
https://github.com/MidwintersTomb/CVE-2018-17553

This PoC exploits CVE-2018-17553 in Navigate CMS 2.8 and prior by uploading a malicious file via a path traversal vulnerability in the file upload functionality. It requires prior authentication via CVE-2018-17552 and uses cURL to send a crafted multipart/form-data request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Navigate CMS version 2.8 and prior
Auth required
Prerequisites: Valid session ID from prior authentication (e.g., via CVE-2018-17552) · cURL installed on the attacker's machine · PHP webshell or malicious file prepared for upload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Pyriphlegethon · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/navigate_cms_rce.rb

This Metasploit module exploits an authentication bypass (CVE-2018-17552) and a path traversal vulnerability (CVE-2018-17553) in Navigate CMS 2.8 and prior to achieve unauthenticated remote code execution. It bypasses login via SQL injection in the session cookie and uploads a malicious PHP file to an arbitrary location.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Navigate CMS <= 2.8
No auth needed
Prerequisites: Network access to the target · Navigate CMS installation with default or vulnerable configuration
devstral-2 · analyzed Apr 30, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/45561/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/rapid7/metasploit-framework/pull/10704

Scores

CVSS v3 8.8
EPSS 0.7955
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22 CWE-434
Status published
Products (1)
naviwebs/navigate_cms 2.8
Published Oct 03, 2018
Tracked Since Feb 18, 2026