cbcvebase.
CVE-2011-4051
published 2011-12-05

CVE-2011-4051: CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 does not require authentication, which allows remote…

PriorityP279critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.16%
99.3th percentile
CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 does not require authentication, which allows remote attackers to execute arbitrary code via vectors related to creation of a file, loading a DLL, and process control.

Affected

2 ranges
VendorProductVersion rangeFixed in
indusoftweb_studio
indusoftweb_studio

Detection & IOCsextracted from sources · hover to see the quote

processCEServer.exe
port4322/TCP
bytes
\x02\x37 (Command: Select destination / upload initiation)
bytes
\x10\x03 (End of packet marker)
bytes
\x02\x06\x10\x03 (Successful upload response)
bytes
\x14 (Get Application Version command)
bytes
\x13 (Get Operating System command)
bytes
\x15 (Remove file operation opcode)
  • Monitor for unauthenticated TCP connections to port 4322 targeting CEServer.exe; any connection without a preceding authentication exchange is suspicious.
  • Detect exploit probing by watching for the single-byte 0x14 probe sent to port 4322/TCP, which elicits the InduSoft version banner from CEServer.exe.
  • Detect exploit traffic by matching the upload command byte sequence \x02\x37 at the start of a TCP payload on port 4322.
  • The exploit targets Windows XP and Windows 2003 (pre-Vista) systems; prioritize detection and patching on those OS versions running InduSoft Web Studio 6.1 or 7.0.
  • ·The Metasploit module's WMI-based payload execution method (dropping .mof files) only works on Windows pre-Vista; exploitation path differs on Vista and later.
  • ·The version check in the exploit distinguishes between InduSoft Web Studio v6.1 (Vulnerable) and other InduSoft versions (Detected), so banner-based detection is version-specific.
  • ·CVE-2011-4052 is a separate but related stack buffer overflow in CEServer triggered by the remove file operation (0x15); do not conflate its detection signatures with CVE-2011-4051.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.