cbcvebase.
CVE-2011-1653
published 2011-04-18

CVE-2011-1653: Multiple SQL injection vulnerabilities in the Unified Network Control (UNC) Server in CA Total Defense (TD) r12 before SE2 allow remote attackers to execute…

PriorityP277critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
88.66%
99.8th percentile
Multiple SQL injection vulnerabilities in the Unified Network Control (UNC) Server in CA Total Defense (TD) r12 before SE2 allow remote attackers to execute arbitrary SQL commands via vectors involving the (1) UnAssignFunctionalRoles, (2) UnassignAdminRoles, (3) DeleteFilter, (4) NonAssignedUserList, (5) DeleteReportLayout, (6) DeleteReports, and (7) RegenerateReport stored procedures.

Affected

1 ranges
VendorProductVersion rangeFixed in
broadcomtotal_defense

Detection & IOCsextracted from sources · hover to see the quote

url/UNCWS/Management.asmx
port34443
command'') exec master.dbo.sp_configure 'show advanced options', 1;reconfigure;--
command'') exec master.dbo.sp_configure 'xp_cmdshell',1;reconfigure;--
command'') exec master.dbo.xp_cmdshell 'cmd.exe /c #{cmd}';--
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT CA Total Defense Suite SQLi Attempt Inbound (CVE-2011-1653)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"modifiedData="; fast_pattern; pcre:"/^.{0,50}\x3b.*?\s[A-Z]{1,20}\s/R"; reference:cve,2011-1653; classtype:web-application-attack; sid:2061826; rev:1; metadata:attack_target Server, created_at 2025_04_23, cve CVE_2011_1653, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to the SOAP endpoint /UNCWS/Management.asmx; monitor for POST traffic to this path on port 34443 (SSL).
  • Malicious SOAP body injects SQL into the ReportIDs element; look for semicolons followed by SQL keywords (e.g., EXEC, RECONFIGURE) within the ReportIDs XML field.
  • Exploit chain enables xp_cmdshell via sp_configure then executes cmd.exe; alert on SQL Server audit logs for sp_configure 'xp_cmdshell' enable events originating from the UNC service account.
  • Content-Type header 'application/soap+xml; charset=utf-8' combined with POST to /UNCWS/Management.asmx is a reliable network signature for this exploit.
  • The ET Snort rule keys on HTTP POST body containing 'modifiedData=' followed by a semicolon and an uppercase SQL keyword (pcre /^.{0,50}\x3b.*?\s[A-Z]{1,20}\s/R); use this pattern for network IDS tuning.
  • Dropped payload executable has a randomly generated alphanumeric filename with .exe extension written to the current working directory; monitor for anomalous .exe creation by the SQL Server process.
  • ·The module was tested specifically against MS SQL Server 2005 Express bundled with CA Total Defense Suite R12; the xp_cmdshell injection chain may behave differently on other SQL Server versions.
  • ·CA Total Defense Suite's real-time protection will quarantine the default Metasploit executable payload; an alternate exe template is required to bypass quarantine.
  • ·SSL is enabled by default on port 34443; network inspection must perform SSL/TLS decryption to detect the exploit payload in transit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.