CVE-2018-19422

HIGH

Subrion CMS < 4.2.2 - Remote Code Execution via .pht or .phar File Upload

Title source: llm

Exploitation Summary

EIP tracks 6 public exploits for CVE-2018-19422. PoCs published by Fellipe Oliveira, hev0x, Swammers8, including Metasploit module exploits/multi/http/subrion_cms_file_upload_rce.

AI-analyzed exploit summary This exploit leverages an authenticated file upload bypass in Subrion CMS 4.2.1 to achieve remote code execution by uploading a malicious PHAR file disguised as a webshell. It requires valid credentials and uses CSRF token extraction for authentication.

Description

/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

Exploits (6)

exploitdb WORKING POC

by Fellipe Oliveira · pythonwebappsphp

https://www.exploit-db.com/exploits/49876

View Code ZIP pw:eip

This exploit leverages an authenticated file upload bypass in Subrion CMS 4.2.1 to achieve remote code execution by uploading a malicious PHAR file disguised as a webshell. It requires valid credentials and uses CSRF token extraction for authentication.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Subrion CMS 4.2.1

Auth required

Prerequisites: Valid credentials for Subrion CMS · Network access to the target · BeautifulSoup library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 8 stars

by hev0x · poc

https://github.com/hev0x/CVE-2018-19422-SubrionCMS-RCE

View Code ZIP pw:eip

This PoC exploits an authenticated file upload vulnerability in Subrion CMS 4.2.1, allowing arbitrary PHP code execution via .phar file uploads. It includes authentication bypass, CSRF token handling, and a webshell for command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Subrion CMS 4.2.1

Auth required

Prerequisites: Valid credentials for Subrion CMS panel · Network access to the target · Python 3 with BeautifulSoup library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 4 stars

by Swammers8 · poc

https://github.com/Swammers8/SubrionCMS-4.2.1-File-upload-RCE-auth-

View Code ZIP pw:eip

This is a functional exploit for CVE-2018-19422, targeting Subrion CMS 4.2.1. It authenticates, uploads a malicious PHAR file bypassing restrictions, and achieves remote code execution via a webshell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Subrion CMS 4.2.1

Auth required

Prerequisites: Valid credentials for Subrion CMS · Network access to the target · Python 3 with BeautifulSoup and requests libraries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by Drew-Alleman · poc

https://github.com/Drew-Alleman/CVE-2018-19422

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2018-19422, targeting Subrion CMS 4.2.1. It bypasses file upload restrictions to achieve authenticated remote code execution by uploading a malicious PHP shell disguised as a .phar file.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Subrion CMS 4.2.1

Auth required

Prerequisites: valid credentials for Subrion CMS panel · network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/h3v0x/cve-2018-19422-subrioncms-rce

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2018-19422, which allows authenticated remote code execution in Subrion CMS 4.2.1 via a file upload bypass (.phar extension) in the /panel/uploads directory. The exploit automates login, CSRF token extraction, webshell upload, and command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Subrion CMS 4.2.1

Auth required

Prerequisites: valid credentials for Subrion CMS admin panel · network access to the target · Python 3 with BeautifulSoup library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Hexife, Fellipe Oliveira, Ismail E. Dawoodjee · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/subrion_cms_file_upload_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated file upload vulnerability in Subrion CMS 4.2.1 and lower. It bypasses .htaccess restrictions by uploading a .phar file containing a PHP payload, achieving remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Subrion CMS <= 4.2.1

Auth required

Prerequisites: Valid admin credentials · Access to the admin panel

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/162591/Subrion-CMS-4.2.1-Shell-Upload.html

Exploit, Third Party Advisory

https://github.com/intelliants/subrion/issues/801

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/173998/Intelliants-Subrion-CMS-4.2.1-Remote-Code-Execution.html

Scores

CVSS v3 7.2

EPSS 0.8388

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

intelliants/subrion 0 - 4.2.2Packagist

intelliants/subrion_cms 4.2.1

Published Nov 21, 2018

Tracked Since Feb 18, 2026