CVE-2018-18858

HIGH

LiquidVPN < 1.37 - Local Privilege Escalation via Unprotected XPC Service

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-18858. PoCs published by Bernd Leitner.

AI-analyzed exploit summary The exploit demonstrates multiple privilege escalation vulnerabilities in LiquidVPN for macOS via an XPC service that fails to filter incoming messages. It includes PoC code for arbitrary command execution, command injection, and loading arbitrary kernel extensions.

Description

Multiple local privilege escalation vulnerabilities have been identified in the LiquidVPN client through 1.37 for macOS. An attacker can communicate with an unprotected XPC service and directly execute arbitrary OS commands as root or load a potentially malicious kernel extension because com.smr.liquidvpn.OVPNHelper uses the system function to execute the "tun_path" or "tap_path" pathname within a shell command.

Exploits (1)

exploitdb WORKING POC

by Bernd Leitner · clocalmacos

https://www.exploit-db.com/exploits/45782

View Code ZIP pw:eip

The exploit demonstrates multiple privilege escalation vulnerabilities in LiquidVPN for macOS via an XPC service that fails to filter incoming messages. It includes PoC code for arbitrary command execution, command injection, and loading arbitrary kernel extensions.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Trivial

Reliability

Reliable

Target: LiquidVPN for MacOS versions 1.37, 1.36 and earlier

No auth needed

Prerequisites: Local access to the system · LiquidVPN installed

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/150137/LiquidVPN-For-macOS-1.3.7-Privilege-Escalation.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/45782/

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2018/Nov/1

Scores

CVSS v3 7.8

EPSS 0.0050

EPSS Percentile 66.4%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (1)

liquidvpn/liquidvpn < 1.37

Published Nov 20, 2018

Tracked Since Feb 18, 2026