cbcvebase.
CVE-2008-1965
published 2008-04-25

CVE-2008-1965: Argument injection vulnerability in the cai: URI handler in rcplauncher in IBM Lotus Expeditor Client for Desktop 6.1.1 and 6.1.2, as used by Lotus Symphony…

PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
10.67%
95.2th percentile
Argument injection vulnerability in the cai: URI handler in rcplauncher in IBM Lotus Expeditor Client for Desktop 6.1.1 and 6.1.2, as used by Lotus Symphony and possibly other products, allows remote attackers to execute arbitrary code by injecting a -launcher option via a cai: URI, as demonstrated by a reference to a UNC share pathname.

Affected

2 ranges
VendorProductVersion rangeFixed in
ibmlotus_expeditor_client
ibmlotus_expeditor_client

Detection & IOCsextracted from sources · hover to see the quote

urlcai:"%20-launcher%20\\6.6.6.6\d$\trojan
command-launcher
  • Monitor for cai: URI handler invocations containing the '-launcher' argument, which indicates exploitation of the argument injection vulnerability in rcplauncher.
  • Detect cai: URIs referencing UNC share pathnames (e.g., \\<IP>\<share>\<file>), as this is the demonstrated exploitation technique.
  • Flag URL-encoded whitespace (%20) combined with '-launcher' within cai: URI strings, matching the known proof-of-concept payload pattern.
  • ·Affected versions are IBM Lotus Expeditor Client for Desktop 6.1.1 and 6.1.2; the exact full version range may be broader as the BID notes uncertainty.
  • ·The vulnerability is in the cai: URI handler component 'rcplauncher' and may affect any product bundling Lotus Expeditor, including Lotus Symphony.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.