CVE-2018-18556

CRITICAL

VyOS restricted-shell Escape and Privilege Escalation

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18556. PoCs published by Rich Mirch, bcoles, including Metasploit module exploits/linux/ssh/vyos_restricted_shell_privesc.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in VyOS's restricted shell and sudo configuration to escalate privileges to root. It leverages the `telnet` command to break out of the restricted shell and then uses a vulnerable Perl script to execute arbitrary commands as root.

Description

A privilege escalation issue was discovered in VyOS 1.1.8. The default configuration also allows operator users to execute the pppd binary with elevated (sudo) permissions. Certain input parameters are not properly validated. A malicious operator user can run the binary with elevated permissions and leverage its improper input validation condition to spawn an attacker-controlled shell with root privileges.

Exploits (1)

metasploit WORKING POC GREAT

by Rich Mirch, bcoles · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/vyos_restricted_shell_privesc.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in VyOS's restricted shell and sudo configuration to escalate privileges to root. It leverages the `telnet` command to break out of the restricted shell and then uses a vulnerable Perl script to execute arbitrary commands as root.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: VyOS versions 1.0.0 to 1.1.8

Auth required

Prerequisites: SSH access with valid credentials · Operator-level privileges on VyOS

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://blog.vyos.io/the-operator-level-is-proved-insecure-and-will-be-removed-in-the-next-releases

Exploit, Third Party Advisory x_refsource_misc

https://blog.mirch.io/2018/11/05/cve-2018-18556-vyos-privilege-escalation-via-sudo-pppd-for-operator-users/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/159234/VyOS-restricted-shell-Escape-Privilege-Escalation.html

Scores

CVSS v3 9.9

EPSS 0.1541

EPSS Percentile 96.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Details

Status published

Products (1)

vyos/vyos 1.1.8

Published Dec 17, 2018

Tracked Since Feb 18, 2026