CVE-2018-25117
CVE-2018-25117 is a critical-severity vulnerability with a CVSS 4.0 base score of 9.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-506.
Key facts
- Severity: Critical (CVSS 4.0 base score 9.3)
- EPSS exploit prediction: 0% (32nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2018-21604
- Weakness: CWE-506
- Published:
- Last modified:
Description
VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or resulted in the installer dropping and executing a DDoS malware payload under local system privileges. Compromised servers were subsequently observed participating in large-scale DDoS activity. Vesta acknowledged exploitation in the wild in October 2018.
Frequently asked questions
- What is CVE-2018-25117?
- VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or resulted in the installer dropping and executing a DDoS malware payload under local system privileges. Compromised servers were subsequently observed participating in large-scale DDoS activity. Vesta acknowledged exploitation in the wild in October 2018.
- How severe is CVE-2018-25117?
- CVE-2018-25117 has a CVSS 4.0 base score of 9.3, rated critical severity.
- Is CVE-2018-25117 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2018-25117?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2018-25117 have an EU (EUVD) identifier?
- Yes. CVE-2018-25117 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-21604.
- When was CVE-2018-25117 published?
- CVE-2018-25117 was published on 2025-10-15 and last updated on 2026-06-17.
References
- https://forum.vestacp.com/viewtopic.php?f=10&t=17641&p=73282
- https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=180#p73907
- https://github.com/outroll/vesta
- https://github.com/outroll/vesta/commit/a3f0fa1501d424477786e3e7150bb05c0b99518f#diff-df8da0c91e9086454c60cd468849630dR1256
- https://github.com/outroll/vesta/commit/ee03eff016e03cb76fac7ae3a0f9d1ef0f8ee35b#diff-df8da0c91e9086454c60cd468849630dL1270
- https://vestacp.com/
- https://www.vulncheck.com/advisories/vestacp-debian-installer-malicious-backdoor-supply-chain-compromise
- https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/
Other CWE-506 vulnerabilities
- CVE-2026-28353 — Critical (CVSS 10.0): Trivy Vulnerability Scanner is a VS Code extension that helps find vulnerabilities. In Trivy VSCode Extension version…
- CVE-2024-3094 — Critical (CVSS 10.0): Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of…
- CVE-2026-48027 — Critical (CVSS 9.8): Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was…
- CVE-2026-8398 — Critical (CVSS 9.8): A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421…
- CVE-2026-44484 — Critical (CVSS 9.8): PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have…
- CVE-2026-6443 — Critical (CVSS 9.8): All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to…