CVE-2018-19276

CRITICAL EXPLOITED IN THE WILD NUCLEI

OpenMRS Java Deserialization RCE

Title source: metasploit

Exploitation Summary

CVE-2018-19276 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 4 public exploits from researchers including Metasploit, Bishop Fox, mpgn, including a Metasploit module exploits/multi/http/openmrs_deserialization. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a Java deserialization vulnerability (CVE-2018-19276) in OpenMRS Platform via a malicious XML payload sent to the Rest API endpoint `/ws/rest/v1/concept`. It achieves unauthenticated remote code execution by leveraging the ImageIO component of the XStream library.

Description

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotelinux

https://www.exploit-db.com/exploits/47792

View Code ZIP pw:eip

This Metasploit module exploits a Java deserialization vulnerability (CVE-2018-19276) in OpenMRS Platform via a malicious XML payload sent to the Rest API endpoint `/ws/rest/v1/concept`. It achieves unauthenticated remote code execution by leveraging the ImageIO component of the XStream library.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenMRS Platform v2.1.2, v2.21, and others

No auth needed

Prerequisites: Network access to the OpenMRS Rest API endpoint · Vulnerable version of OpenMRS Platform

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Bishop Fox · textwebappsjava

https://www.exploit-db.com/exploits/46327

View Code ZIP pw:eip

This exploit leverages insecure deserialization in OpenMRS to execute arbitrary commands via a crafted XML payload sent to the REST API, resulting in a reverse shell. The payload uses Java deserialization gadgets to trigger command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenMRS Platform (version not specified)

No auth needed

Prerequisites: Network access to the OpenMRS REST API · Java 8 environment on the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 16 stars

by mpgn · remote

https://github.com/mpgn/CVE-2018-19276

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2018-19276, an insecure object deserialization vulnerability in OpenMRS. The exploit leverages a crafted XML payload to achieve remote code execution (RCE) via Java deserialization gadgets.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenMRS Platform (versions < 2.1.4, < 2.0.8, < 1.12.1) and Reference Application (versions < 2.8.1, < 2.7.2, < 2.6.2)

No auth needed

Prerequisites: Network access to the OpenMRS REST API endpoint · OpenMRS instance with vulnerable version

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Nicolas Serra, mpgn, Shelby Pace · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openmrs_deserialization.rb

View Code ZIP pw:eip

This Metasploit module exploits a Java deserialization vulnerability in OpenMRS via a malicious XML payload sent to the `/ws/rest/v1/concept` endpoint, achieving unauthenticated RCE. It uses Marshalsec-generated payloads targeting the XStream library's ImageIO component.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenMRS Platform v2.1.2, v2.21 (and others)

No auth needed

Prerequisites: Network access to OpenMRS REST API · Vulnerable OpenMRS version

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

OpenMRS Platform < 2.24.0 - Insecure Object Deserialization

CRITICALVERIFIEDby DhiyaneshDK

Shodan: html:"OpenMRS"

References (5)

Core 5

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/151553/OpenMRS-Platform-Insecure-Object-Deserialization.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46327/

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/155691/OpenMRS-Java-Deserialization-Remote-Code-Execution.html

Third Party Advisory x_refsource_misc

https://know.bishopfox.com/advisories/news/2019/02/openmrs-insecure-object-deserialization

Vendor Advisory x_refsource_confirm

https://talk.openmrs.org/t/critical-security-advisory-cve-2018-19276-2019-02-04/21607

Scores

CVSS v3 9.8

EPSS 0.9881

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2020-10-14

InTheWild.io 2021-10-14

CWE

CWE-502

Status published

Products (1)

openmrs/openmrs 1.12.0 - 1.12.1

Published Mar 21, 2019

Tracked Since Feb 18, 2026