Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2009-3518 — Code Injection in IBM Installation Manager

CWE-94 — Code Injection4 documents4 sources

Severity

9.3CRITICALNVD

EPSS

8.4%

top 7.69%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

IBM Installation Manager

Timeline

PublishedOct 1

Latest updateMay 2

Description

Argument injection vulnerability in the iim: URI handler in IBMIM.exe in IBM Installation Manager 1.3.2 and earlier, as used in IBM Rational Robot and Rational Team Concert, allows remote attackers to load arbitrary DLL files via the -vm option, as demonstrated by a reference to a UNC share pathname.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

▶NVDibm/installation_manager1.3.2+4

🔴Vulnerability Details

GHSA

GHSA-47gr-pfr8-r958: Argument injection vulnerability in the iim: URI handler in IBMIM↗2022-05-02

▶

CVEList

CVE-2009-3518: Argument injection vulnerability in the iim: URI handler in IBMIM↗2009-10-01

▶

💥Exploits & PoCs

Exploit-DB

IBM Installation Manager 1.3.0 - 'iim://' URI handler↗2009-09-29

▶