CVE-2018-25117
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-15

Last updated on: 2025-10-16

Assigner: VulnCheck

Description
VestaCP commit a3f0fa1 (2018-05-31) up to commit ee03eff (2018-06-13) contain embedded malicious code that resulted in a supply-chain compromise. New installations created from the compromised installer since at least May 2018 were subject to installation of Linux/ChachaDDoS, a multi-stage DDoS bot that uses Lua for second- and third-stage components. The compromise leaked administrative credentials (base64-encoded admin password and server domain) to an external URL during installation and/or resulted in the installer dropping and executing a DDoS malware payload under local system privileges. Compromised servers were subsequently observed participating in large-scale DDoS activity. Vesta acknowledged exploitation in the wild in October 2018.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-15
Last Modified
2025-10-16
Generated
2026-06-16
AI Q&A
2025-10-15
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25117
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux *
vestacp vestacp *
lua lua *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-506 The product contains code that appears to be malicious in nature.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25117 is a critical supply-chain compromise affecting VestaCP's Debian installer between May 31 and June 13, 2018. The compromised installer contained embedded malicious code that leaked administrative credentials (including base64-encoded admin passwords and server domain information) to an external URL during installation. It also installed and executed Linux/ChachaDDoS, a multi-stage DDoS bot malware that uses Lua scripts for its second- and third-stage components. This malware runs with local system privileges and causes infected servers to participate in large-scale DDoS attacks. The vulnerability was actively exploited in the wild and has a high severity score (CVSS v4 score of 9.3). The issue was fixed in later patches that removed the malicious code and improved security measures. [1, 8, 7]

Impact Analysis

This vulnerability can severely impact you by compromising your server's security and integrity. During installation, your administrative credentials can be leaked to attackers, allowing unauthorized access. The compromised installer installs a DDoS bot malware (Linux/ChachaDDoS) that runs with local system privileges, enabling attackers to control your server to participate in large-scale distributed denial-of-service (DDoS) attacks. This can lead to your server being used maliciously, potential service disruptions, unauthorized access, and loss of control over your system. Additionally, attackers may execute arbitrary payloads with elevated privileges and erase logs to cover their tracks, making detection and recovery difficult. [1, 2, 8, 7]

Detection Guidance

Detection of CVE-2018-25117 involves checking for indicators of compromise such as the presence of the malicious trojan binary /usr/bin/dhcprenew, which disguises itself as a kernel worker process. Administrators should verify if this binary exists and remove it if found. Monitoring for unusual SSH activity, such as unauthorized password changes without log entries and execution of suspicious payloads (e.g., files like /var/tmp/creator-x86_64-1), is important. Additionally, checking for the presence of the Linux/ChachaDDoS malware persistence mechanisms, such as init.d service scripts (/etc/init.d/dhcprenew) and symlinks in /etc/rc*.d/ directories, can help detect infection. Network detection can include monitoring outbound connections to suspicious IP ranges (e.g., 193.201.224.0/24 on port 8852) and unusual DDoS traffic patterns. Suggested commands include: - `ls -l /usr/bin/dhcprenew` to check for the trojan binary - `ps aux | grep dhcprenew` to see if the process is running - `ls -l /etc/init.d/dhcprenew` and `ls -l /etc/rc*.d/*dhcprenew` to check for persistence scripts - `grep -i 'creator-x86_64-1' /var/tmp/` and checking permissions with `ls -l /var/tmp/creator-x86_64-1` - Reviewing SSH logs (e.g., /var/log/auth.log or /var/log/secure) for suspicious activity, although attackers may have deleted these logs - Monitoring network connections with `netstat -anp | grep 8852` or using tools like `tcpdump` to detect connections to known C&C IPs Because attackers may erase logs and use stealthy methods, combining file system checks, process monitoring, and network traffic analysis is recommended. [2, 7, 8]

Mitigation Strategies

Immediate mitigation steps include: 1. Verify if your server is compromised by checking for the presence of the /usr/bin/dhcprenew trojan binary and removing it if found. 2. Change all VestaCP admin passwords immediately, especially if you suspect compromise. 3. Update VestaCP installations to version 0.9.8-23 or later, which includes fixes for this vulnerability and removes the compromised installer behavior. 4. Ensure that your system is patched and that you use official, verified VestaCP packages from trusted repositories. 5. Restrict SSH access by using strong passwords, disabling root login, and employing IP whitelisting or key-based authentication. 6. Monitor for unusual SSH login attempts and brute-force attacks, and consider using tools like fail2ban. 7. Check for and remove any suspicious files or payloads such as /var/tmp/creator-x86_64-1. 8. Review sudo permissions to ensure they are limited to necessary commands only. 9. Monitor network traffic for connections to known malicious IP ranges and block them if possible. These steps help prevent further exploitation, remove existing malware, and secure the environment against similar attacks. [2, 7, 8]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart