cbcvebase.
CVE-2009-1943
published 2009-06-05

CVE-2009-1943: Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.21%
99.4th percentile
Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long request to UDP port 62514.

Affected

12 ranges
VendorProductVersion rangeFixed in
safenet-incsoftremote<= 10.8.5
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote
safenet-incsoftremote

Detection & IOCsextracted from sources · hover to see the quote

processireIke.exe
portUDP/62514
commandregister_options([Opt::RPORT(62514)], self)
otherRET 0x004514a9 (call esi gadget in IreIKE.exe, target SafeNet IreIKE 10.8.0.20)
otherRET 0x00451889 (SafeNet IreIKE 10.8.0.10)
otherRET 0x00451929 (SafeNet IreIKE 10.8.3.6)
bytes
\x01\x00\x00\x00 (IPC packet header prefix)
bytes
\x81\xc4\x54\xf2\xff\xff (PrependEncoder stack adjustment stub)
  • Alert on any UDP traffic to port 62514 originating from external/untrusted hosts targeting the IKE service; oversized packets (beyond normal IKE framing) are indicative of exploitation.
  • EIP control occurs at offset 213 bytes into the payload; a UDP payload to port 62514 with length ≥213 bytes starting with the 4-byte IPC magic \x01\x00\x00\x00 is a strong exploit indicator.
  • Bad characters in exploit payload are \x00\x0a\x20\x0d; any IDS/IPS signature for this CVE should flag UDP/62514 payloads that do NOT contain these bytes but are abnormally long.
  • Monitor for ireIke.exe spawning unexpected child processes or making outbound TCP connections, which would indicate successful shellcode execution (e.g., reverse_ord_tcp payload).
  • ·Exploit payload space is only 213 bytes; staged/encoded payloads (e.g., reverse_ord_tcp) are required. Detection signatures must account for encoded shellcode rather than raw shellcode patterns.
  • ·The return address (call esi gadget) differs across three known build versions of IreIKE.exe (10.8.0.20, 10.8.0.10, 10.8.3.6); version-specific RET values must be used for reliable exploitation, meaning detection should not rely solely on a fixed byte pattern at the RET offset.
  • ·EXITFUNC is set to 'process', meaning successful exploitation terminates the IreIKE.exe process; a sudden crash/restart of ireIke.exe after inbound UDP/62514 traffic should be treated as a post-exploitation indicator.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.