cbcvebase.
CVE-2011-1889
published 2011-06-16

CVE-2011-1889: The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitrary code…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
48.37%
98.7th percentile
The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitrary code via vectors involving unspecified requests, aka "TMG Firewall Client Memory Corruption Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftforefront_threat_management_gateway

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via the NSPLookupServiceNext function in the Microsoft Forefront TMG Firewall Client Winsock provider; monitor for anomalous calls or crashes in this function on TMG client systems
  • Code execution occurs in the security context of the client application using the TMG Firewall Client Winsock provider; monitor for unexpected child processes or code injection from applications using the TMG Winsock provider
  • ·The attack vectors are described as 'unspecified requests', meaning the exact network-level trigger is not publicly documented, limiting precise network-based detection rule creation

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.