CVE-2018-18850

HIGH

Octopus Server 2018.8.0-2018.9.x - Authenticated Remote Code Execution via YAML Configuration

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18850. Includes Metasploit module exploits/windows/http/octopusdeploy_deploy.

AI-analyzed exploit summary This Metasploit module exploits an authenticated RCE vulnerability in Octopus Deploy by injecting a PowerShell payload into a deployment step. It requires valid credentials or an API key to create a temporary step, trigger a deployment, and execute the payload.

Description

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).

Exploits (1)

metasploit WORKING POC EXCELLENT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/octopusdeploy_deploy.rb

This Metasploit module exploits an authenticated RCE vulnerability in Octopus Deploy by injecting a PowerShell payload into a deployment step. It requires valid credentials or an API key to create a temporary step, trigger a deployment, and execute the payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Octopus Deploy
Auth required
Prerequisites: Valid Octopus Deploy credentials or API key · Access to the Octopus Deploy server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/OctopusDeploy/Issues/issues/5042

Scores

CVSS v3 8.8
EPSS 0.1247
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (1)
octopus/octopus_server 2018.8.0 - 2018.8.12
Published Oct 31, 2018
Tracked Since Feb 18, 2026