cbcvebase.
CVE-2011-3495
published 2011-09-16

CVE-2011-3495: Multiple directory traversal vulnerabilities in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to read, modify, or delete…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.80%
95.3th percentile
Multiple directory traversal vulnerabilities in service.exe in Measuresoft ScadaPro 4.0.0 and earlier allow remote attackers to read, modify, or delete arbitrary files via the (1) RF, (2) wF, (3) UF, or (4) NF command.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
measuresoftscadapro<= 4.0.0
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro

Detection & IOCsextracted from sources · hover to see the quote

port11234/UDP
commandRF
commandwF
commandUF
commandNF
commandXF
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17844-2.zip
filenamescadapro_1b.dat
filenamescadapro_1c.dat
filenamescadapro_1d.dat
filenamescadapro_1e.dat
processservice.exe
  • Monitor for tab-separated command strings sent to port 11234/UDP matching the RF, wF, UF, NF, or XF command patterns used by ScadaPro service.exe; note that 'wF' uses a lowercase first character specifically to bypass an internal check.
  • Alert on XF command usage targeting msvcrt.dll 'system' function over port 11234/UDP, which enables arbitrary OS command execution.
  • Detect directory traversal sequences (e.g., '../') within RF/wF/UF/NF command payloads on port 11234/UDP targeting service.exe.
  • Inspect BF, OF, and EF backup command arguments for injected double-quote characters ('"') which enable command injection into mszip and other backup program invocations.
  • ·Port 11234/UDP is the attack surface; the vendor fix (v4.0.1) disables this port by default. Verify this port is blocked at the perimeter for all unpatched deployments.
  • ·The RF command's directory traversal check is bypassable by lowercasing the first character (i.e., 'wF' instead of 'WF'); detection rules must account for case variations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.