cbcvebase.
CVE-2011-3497
published 2011-09-16

CVE-2011-3497: service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary DLL functions via the XF function, possibly related to an…

PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.75%
99.0th percentile
service.exe in Measuresoft ScadaPro 4.0.0 and earlier allows remote attackers to execute arbitrary DLL functions via the XF function, possibly related to an insecure exposed method.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
measuresoftscadapro<= 4.0.0
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro
measuresoftscadapro

Detection & IOCsextracted from sources · hover to see the quote

port11234/UDP
processservice.exe
commandXF
commandudpsz -d 2 -c "xx%" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
commandudpsz -d 2 -c "xx%test\t" -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
commandudpsz -d 2 -c "xx%test," -b a -X 0 16 l 0x6161 -T -l 0 SERVER 11234 0x2000
urlhttp://aluigi.org/testz/udpsz.zip
urlhttp://aluigi.org/poc/scadapro_1.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17844-2.zip
filenamemsvcrt.dll
  • Monitor for UDP traffic on port 11234 targeting ScadaPro service.exe; any inbound connection should be treated as suspicious given the port is disabled by default in patched versions.
  • Detect exploitation attempts using the 'XF' command over UDP port 11234, particularly those referencing msvcrt.dll and the system() function for arbitrary command execution.
  • Detect directory traversal patterns in 'RF' and 'wF' commands sent to port 11234/UDP, which can be used to read or write arbitrary files on the target system.
  • Alert on use of 'UF' and 'NF' commands to port 11234/UDP, which can delete files and entire directories on the target.
  • Flag injection of double-quote characters in backup command arguments ('BF', 'OF', 'EF') sent to port 11234/UDP, which can be used to inject commands into mszip or other backup programs.
  • Metasploit module 'exploits/windows/scada/scadapro_cmdexe' targets this vulnerability; detect its use via network signatures or endpoint telemetry showing service.exe spawning child processes.
  • ·Port 11234/UDP is the attack vector; in unpatched ScadaPro 4.0.0 and earlier this port is open by default. The fix (v4.0.1) disables it by default, so presence of this port listening is a strong indicator of a vulnerable/misconfigured deployment.
  • ·The vulnerability affects ScadaPro Version 4.0.0.0 and earlier; version 4.0.1 contains the fix. Detection rules should scope to systems still running the vulnerable version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.