CVE-2018-19276

CRITICAL EXPLOITED IN THE WILD NUCLEI

OpenMRS Java Deserialization RCE

Title source: metasploit

Description

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

Exploits (4)

nomisec WORKING POC 16 stars
by mpgn · remote
https://github.com/mpgn/CVE-2018-19276
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotelinux
https://www.exploit-db.com/exploits/47792
metasploit WORKING POC NORMAL
by Nicolas Serra, mpgn, Shelby Pace · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openmrs_deserialization.rb
exploitdb WORKING POC
by Bishop Fox · textwebappsjava
https://www.exploit-db.com/exploits/46327

Nuclei Templates (1)

OpenMRS Platform < 2.24.0 - Insecure Object Deserialization
CRITICALVERIFIEDby DhiyaneshDK
Shodan: html:"OpenMRS"

References (5)

Scores

CVSS v3 9.8
EPSS 0.9333
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2020-10-14
InTheWild.io 2021-10-14

Classification

CWE
CWE-502
Status published

Affected Products (1)

openmrs/openmrs < 1.12.1

Timeline

Published Mar 21, 2019
Tracked Since Feb 18, 2026