cbcvebase.
CVE-2011-3498
published 2011-09-16

CVE-2011-3498: Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute…

PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
10.26%
95.1th percentile
Heap-based buffer overflow in Progea Movicon / PowerHMI 11.2.1085 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long request.

Affected

3 ranges
VendorProductVersion rangeFixed in
progeamovicon_powerhmi<= 11.2.1085
progeamovicon_powerhmi
progeamovicon_powerhmi

Detection & IOCsextracted from sources · hover to see the quote

port808/TCP
port12233/TCP
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-1.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-3.dat
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15707.zip
commandnc SERVER 808 < movicon_1.dat
commandudpsz -T -b 0x61 SERVER 808 10000
commandnc SERVER 808 < movicon_3.dat
  • Detect oversized HTTP requests (>8192 bytes) to port 808/TCP targeting Movicon/PowerHMI — the server uses a fixed 8192-byte buffer for incoming HTTP requests, and overflow occurs with longer input.
  • Alert on HTTP requests to port 808/TCP containing a negative Content-Length header value, which triggers the heap overflow via memcpy.
  • Monitor for EIDP protocol packets tunnelled via port 808/TCP HTTP requests with anomalously large size fields; direct exploitation via port 12233/TCP does not appear viable.
  • Flag any inbound connections to port 808/TCP and 12233/TCP on ICS/SCADA hosts running Progea Movicon or PowerHMI, especially from external/internet-facing sources.
  • ·The EIDP memory corruption bug (CVE-2011-3499) can only be triggered via port 808/TCP HTTP tunnelling, NOT directly via port 12233/TCP; detection on port 12233 alone is insufficient.
  • ·The null-byte write primitive in the EIDP bug is constrained to memory addresses above 0x7FFFFFFF, limiting reliable exploitation primarily to 64-bit environments.
  • ·Public PoC exploit files (movicon_1.dat, movicon_3.dat, udpsz) are publicly available; low-skill attackers can achieve DoS while skilled attackers may achieve RCE.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.