Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-3028

4 documents4 sources
Severity
6.8MEDIUM
EPSS
62.6%
top 1.62%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Symantec Altiris Deployment SolutionSymantec Altiris Notification ServerSymantec Management Platform
Timeline
PublishedMar 7
Latest updateMay 2

Description

The Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib.dll, as used in Symantec Altiris Deployment Solution 6.9.x, Notification Server 6.0.x, and Symantec Management Platform 7.0.x exposes an unsafe method, which allows remote attackers to force the download of arbitrary files and possibly execute arbitrary code via the DownloadAndInstall method.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

Patches

Patch: www.symantec.comPatch: www.symantec.com

🔴Vulnerability Details

2
GHSA
GHSA-c3j9-9fc9-p66x: The Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib2022-05-02
CVEList
CVE-2009-3028: The Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib2011-03-07

💥Exploits & PoCs

1
Exploit-DB
Symantec Altiris Deployment Solution - ActiveX Control Arbitrary File Download and Execute (Metasploit)2010-11-24
CVE-2009-3028 (MEDIUM CVSS 6.8) | The Altiris eXpress NS SC Download | cvebase.io