cbcvebase.
CVE-2011-1564
published 2011-04-05

CVE-2011-1564: Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
18.63%
96.9th percentile
Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via crafted (1) On_FC_MISC_FCS_MSGBROADCAST and (2) On_FC_MISC_FCS_MSGSEND packets, which trigger a heap-based buffer overflow.

Affected

3 ranges
VendorProductVersion rangeFixed in
realflexrealwin<= 2.1
realflexrealwin
realflexrealwin

Detection & IOCsextracted from sources · hover to see the quote

port910
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-6.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-5.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-7.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17025-8.zip
commandnc SERVER 910 < realwin_6?.dat
commandnc SERVER 910 < realwin_5?.dat
commandnc SERVER 910 < realwin_7?.dat
commandnc SERVER 910 < realwin_8.dat
  • Detect exploitation attempts targeting TCP port 910 with On_FC_MISC_FCS_MSGBROADCAST or On_FC_MISC_FCS_MSGSEND packet types — these trigger integer overflow leading to heap-based buffer overflow in DATAC RealWin HMI.
  • Monitor TCP port 910 for oversized or malformed packets targeting On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, On_FC_CGETTAG_FCS_SETTELEMETRY, and On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY — these trigger a stack overflow via a ~200-byte stack buffer path construction.
  • Monitor TCP port 910 for On_FC_SCRIPT_FCS_STARTPROG packets with oversized input strings — exploitation copies attacker-controlled input into a ~4KB stack buffer at function 00439620.
  • For On_FC_MISC_FCS_MSGBROADCAST/MSGSEND exploitation, the attacker-supplied 32-bit size field plus 0x16 causes integer overflow in heap allocation — inspect packet size fields for values near 0xFFFFFFEA or larger.
  • ·No vendor patch was available at time of disclosure — affected deployments of DATAC RealWin 2.1 (Build 6.1.10.10) and earlier remain permanently exposed unless network-level controls are applied.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.