cbcvebase.
CVE-2008-4830
published 2009-04-16

CVE-2008-4830: Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI 6.40 Patch 29 (KWEDIT.DLL 6400.1.1.41) and 7.10 Patch 5 (KWEDIT.DLL 7100.1.1.43) allows…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.59%
97.8th percentile
Insecure method vulnerability in the KWEdit ActiveX control in SAP GUI 6.40 Patch 29 (KWEDIT.DLL 6400.1.1.41) and 7.10 Patch 5 (KWEDIT.DLL 7100.1.1.43) allows remote attackers to (1) overwrite arbitrary files via the SaveDocumentAs method or (2) read or execute arbitrary files via the OpenDocument method.

Affected

2 ranges
VendorProductVersion rangeFixed in
sapsap_gui
sapsap_gui

Detection & IOCsextracted from sources · hover to see the quote

filenameKWEDIT.DLL
versionKWEDIT.DLL 6400.1.1.41
versionKWEDIT.DLL 7100.1.1.43
otherKweditcontrol.KWedit.1
commandComp_Download
path/../../../../../../../../Documents and Settings/All Users/Start Menu/Programs/Startup/
  • Detect instantiation of the vulnerable ActiveX ProgID 'Kweditcontrol.KWedit.1' in browser script, which is the attack vector for CVE-2008-4830.
  • Monitor calls to the 'Comp_Download' method on the KWedit ActiveX control, particularly where the destination path contains directory traversal sequences (e.g., '../../../../') targeting Startup folders.
  • Alert on use of 'SaveDocumentAs' or 'OpenDocument' methods of the KWEdit ActiveX control (KWEDIT.DLL), which allow arbitrary file write and read/execute respectively.
  • Watch for executable files dropped into 'Documents and Settings\All Users\Start Menu\Programs\Startup\' via directory traversal from a web-delivered ActiveX payload.
  • ·The Metasploit module uses a randomly generated executable filename and variable name, so static filename-based detection will not be reliable; focus on the ActiveX ProgID and method calls instead.
  • ·The payload is served as 'application/octet-stream' from an attacker-controlled HTTP server; the SRVHOST may be any IP, so network-layer detection should focus on the ActiveX method invocation rather than a fixed C2 address.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.