cbcvebase.
CVE-2011-1565
published 2011-04-05

CVE-2011-1565: Directory traversal vulnerability in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
64.06%
99.1th percentile
Directory traversal vulnerability in IGSSdataServer.exe 9.00.00.11063 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to (1) read (opcode 0x3) or (2) create or write (opcode 0x2) arbitrary files via ..\ (dot dot backslash) sequences to TCP port 12401.

Detection & IOCsextracted from sources · hover to see the quote

port12401
port12397
processIGSSdataServer.exe
processdc.exe
commandopcode 0x3 (read file)
commandopcode 0x2 (write/create file)
commandopcode 0x0D (Write packets) via port 12401
commandopcode 0x0A (EXE packet) to port 12397
commandopcode 0xa and 0x17 (arbitrary command execution via directory traversal) on port 12397
  • Detect directory traversal attempts using '..\ ' sequences in TCP traffic destined for port 12401 (IGSSdataServer.exe). Focus on opcodes 0x02 (write/create) and 0x03 (read) in packet payloads.
  • Monitor TCP port 12397 (dc.exe) for opcode 0x0A and 0x17 packets, which can trigger arbitrary executable launch via directory traversal. Payload delivery via opcode 0x0D on port 12401 followed by opcode 0x0A on port 12397 is the Metasploit exploitation chain.
  • Alert on new processes spawned by dc.exe (port 12397), especially unexpected executables created via CreateProcessA, as this is the code execution mechanism used by the exploit.
  • Detect opcode 0x8 / command 0x4 packets to port 12401 that contain oversized SQL-related fields, indicative of the STDREP stack buffer overflow (256-byte stack buffer for SQL query construction).
  • ·The directory traversal and command execution vulnerabilities affect IGSSdataServer.exe version 9.00.00.11063 and earlier; verify the exact version in your environment before applying detections.
  • ·No vendor fix was available at the time of disclosure; network-level blocking of TCP ports 12401 and 12397 from untrusted sources is the primary mitigation.
  • ·The stack overflow via opcode 0x8/command 0x4 exploitability for code execution was not confirmed at time of disclosure.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.